GDPR stands for General Data Protection Regulation. It’s a new EU law that will replace the current Data Protection Directive on 25th May 2018. GDPR sets out stricter requirements for collecting and processing personal information, giving individuals more rights regarding their own data. Organisations will be subject to considerable fines if found to be contravening these – e.g. 2% of worldwide turnover or €10m.
Yes, if your business is established in the EU OR you process personal data relating to people in the EU. The scope of the regulation expands EU rules beyond EU boundaries.
Many assessment processes involve collecting personal data. GDPR will add constraints to what sort of candidate data is collected and how that’s done. The way you store that data will also need to be managed carefully under the new rules. In addition, your candidates will have increased rights to access their data or request you delete it at any time.
When collecting data, you’ll need to be clear about what you’re going to use it for and you will only be able to collect data that is ‘necessary’. If that data isn’t – for example - clearly connected to an employee’s role within your business, it will be harder to justify keeping it.
GDPR will mean you can only retain personal information for as long as is it needed, and you can only keep it for the purpose it was acquired. This will have an impact, for instance, on recruitment data. You should consider whether it is appropriate to retain data of people you don’t hire. If it still has a purpose and you want to retain it, you should document the reason. It also means you’ll need to be careful about data belonging to employees who leave your organisation. The only exception would be if the data were to be used for statistical and research purposes; in which case, it may be retained longer subject to appropriate safeguards, e.g. anonymisation or pseudonymisation.
When GDPR comes into force, you will have to document where and how you store and process your data, as well as who has access to which data. It’s important you make it clear to employees that they can access the data you hold on them at any time. You will also need to document your storage and access procedures, as well as having a clear process for deletion.
Obviously, one of the key purposes of GDPR is to keep data safe. You’ll need to be able to prove that your policy for handling and storing data is robust and secure. This extends beyond what you do within your organisation, so don’t forget about your sub-contractors. You should evaluate their security arrangements and put in place a data agreement if they handle personal data for you.
These changes will have an effect throughout organisations, so your HR team won’t be going it alone. The challenge for those in people management is that it can be difficult to balance protecting people’s privacy with getting the job done. There may be some major changes needed, but by getting ready now, you can be confident you’re compliant when the new legislation kicks in.
At Cubiks, our online systems already treat all data in accordance with the current EU directive, whether or not data subjects are EU citizens. In the process of gaining our ISO 27001 accreditation, we took further measures around data protection and security.
However, just like every other business, GDPR has significant implications for Cubiks. We began preparations last year, with an audit that led us to review our practices around processing and storing personal data. We’re now updating our IT platform, finalising a new data agreement and rolling out a training programme for the whole team. By implementing changes in how we collect, store and provide access to our data, we can ensure we’re fully compliant and will be able to help our customers be compliant with GDPR by 25 May 2018.