Disclaimer: I am not a lawyer, so the opinions in this blog are solely mine. They are based on things I have learned about the GDPR and are intended for informational purposes only.
Much has been made lately (including on this site) of the impending European Union General Data Protection Regulation (GDPR) that is scheduled to go into effect on May 25, 2018. SAP SuccessFactors has done a fantastic job of adding functionality and communicating its efforts to customers over the last several months. While you are hopefully working diligently on your GDPR policies and procedures for your HCM systems, it’s important to remember how the GDPR could affect other processes and software solutions. In this blog, I will take a look at how your recruiting processes could be impacted.
GDPR in a nutshell
Before we discuss recruiting, I want to share a brief overview of GDPR. The GDPR is not the first data protection regulation of its kind. In fact, it is replacing the current Data Protection Directive 95/46/EC that has become outdated due to changes in technology and business practices since its inception.
The GDPR is meant to harmonize country-specific data privacy laws and to come up with a uniform procedure for how businesses collect, use and maintain personal data from EU citizens. This harmonization is also intended to make it easier for companies outside the EU to comply since it will be one standard, rather than standards that differ from country to country.
At the heart of the GDPR is the intent to allow EU citizens to have control over their personal data and to make it very clear whether or not they consent to how their data is used and stored. Consent is a major part of GDPR and will have implications beyond just core HR systems like Employee Central.
Download the free article:
“GDPR: Answers to 12 Questions Every SAP SuccessFactors Customer Should Know”
Recruiting and the concept of Consent
Much of the discussion about GDPR that I have seen from partners and audit firms has focused on employee personal data. That is obviously a key to understanding GDPR. However, there are many elements of GDPR that will impact recruiting processes, too. Consent is one of them.
In her recent iXerv CloudCast webinar, SAP’s Kim Lessley outlines the core principles of the GDPR, so I won’t rehash them here. However, a topic that is critical to understand is that of “consent”. Under the GDPR, recruiters and employers will need to obtain clear consent from job candidates in order to use their data for recruitment processes. This is important to understand because some people outside of the EU mistakenly believe the GDPR is solely related to employee personal data.
Recruiters will now need to request consent from candidates in a very thorough and clear manner. They will also have to explain in clear language exactly how the data is to be used and for how long. It must be active consent. In other words, pre-ticking checkboxes is no longer allowed. You cannot assume consent or source data for recruiting processes via social media. Also, the practice of burying consent terms and conditions in legalese that no candidate will ever read is also no longer allowed.
Recruiters should actively review their consent processes to ensure that they are compliant. “But, what if we don’t recruit in the EU?”, you ask? Remember that this regulation currently applies to EU citizens and their data. If you feel entirely comfortable that you will never receive an applicant from the EU, then you may breathe a little easier, but I don’t know many organizations that can safely make that assumption if the threat of fines exists.
The other side of Consent
While obtaining consent is required by GDPR, so is the right for a candidate to access or review their own data on demand after they have consented. Additionally, the GDPR provides employees and candidates with the “right to be forgotten”. This means that a candidate has the right to request that you permanently erase all of their personal data when it is no longer needed – or at any time they choose.
The implications of the right to be forgotten are too many to be covered here, but your brain is probably already running through scenarios and impacts. Consider regulatory reporting on applicants, for example. How do you maintain accuracy in reporting if data has been permanently erased? What if a candidate was deemed unsuitable for hire and chooses to have their data removed after the rejection? How will you track the candidate’s past history?
Include recruiting processes in your GDPR preparation
This blog is meant to raise questions and to provide inspiration for companies to be thorough in their GDPR preparation. If your company and Data Protection Officer haven’t yet actively engaged with your recruiting processes, time is growing short. As for some of the other questions raised here, time will tell how the GDPR is interpreted in actual practice. Stay tuned.