GDP-arghhhhh me matey!

It all started in the banking and finance sector. First it was Sarbanes Oxley and Basel Accords, standards/regulation/legislation gleefully bestowed on companies to become compliant with.
Now it’s the European Union’s GDPR aka General Data Protection Regulation. If you haven’t heard of it by now, well you’re probably out there enjoying life not bothered by this Britannica sized legislation impacting the world.
“Oh, it’s not just for those in the EU?” You might say be saying to yourself. Damn straight. If you’re an employer and collecting personal data on a EU citizen, then GDPR is your new friend. And, if you don’t comply, be prepared to go bust. With fines of up to EU$20M or four percent of annual worldwide turnover, it pays to take notice!
So what on earth is all this about? Well the Zuck (Mark Zuckerberg) was recently grilled on data privacy with its recent scandal. And that’s exactly what this is about. Data Privacy for EU citizens.
So who needs to be compliant?

• If you are an Australian business with EU based operations, selling goods and services or collecting personal data… yep… you sure do;
• If you are an Australian business with no overseas offices, but selling goods and services and/or collecting personal data on an EU citizen..well… yes, you sure do;
• If you are an Australian business, using offshore data processing centres collecting data on EU citizens… BANG.. yep this includes you too.

So basically if you are an employer here in Australia and someone from EU applies to a role you have advertised OR your Sourcing team is putting together a list of EU people to contact in relation to a position, then YOU TOO must be GDPR compliant.
What you need to know?

• There are two types of parties in all this. Data Processors and Data Controllers.

A Data Processor – for our purposes might be HR Software (Recruitment System) that we are using to collect information, such as online Psychometric Assessments, Reference Checking Services, Onboarding software, or Recruitment Marketing software to name a few.

A Data Controller – is typically the company/employer using the services of a processor. The Data Controller is the entity that is responsible for GDPR compliance. The Data Controller should control what data is collected, how it is stored, how it is deleted/archived, and how the data is used.

• Opt-in, not Opt-out. If you are collecting information on EU folks then you need to ensure they tick the box to Opt-in. Back in the day you used to have to tick the opt-out box because you were automatically in, well GDPR reverses that. This means making individuals aware UPFRONT that their data is going to be collected, and they must give consent to this before moving forward. As for people in your existing database, your will need to seek fresh consent if their information has been obtained via a process that is not in line with the GDPR requirements.
• You need to make it relatively easy for individuals to contact a Data Privacy Officer to query their details and have them removed.

Examples:

• Your Sourcing team is developing a list of prospects using various techniques to collect information on individuals. The information is stored on your ATS or CRM. You are obligated to reach out to these people, state your intended purpose and request they opt in to their data being used for this purpose. Should they agree, you need to make note of this somewhere (hopefully in the ATS/CRM). Should they disagree then you will need to remove their details from the system completely within an agreed time period*.
• You have LinkedIn Recruiter, and your recruiter approaches someone using their LinkedIn Recruiter Seat. The LinkedIn Member will have already opted in so there is likely to be no issue, unless the member requested not to be contacted about jobs. IF however you export the details into your ATS/CRM, then you will need to get the individual to opt in to retaining their details for a specific role.
• You’re using various screening tools which integrate with your ATS. You only require the following information from the software provider to pass between your ATS and their tool:
  • Candidate Email, First Name, Surname, Unique ID. You find out that the software provider (data processor) is sending additional information such as a Phone Number, Middle Name, and Date of Birth not required to your ATS (data controller). As the data controller you need to ask the data processor to remove the additional data which they must do. YOU SHOULD DEFINITELY BE CHECKING what data is currently flowing between your integrations.

Whether you are hiring a back packer, an au-pair, a tech geek, Engineer, Nurse or Accountant from the EU, GDPR pretty much applies to you. If you’re not up to speed on it and you get caught with your pants down, not even the Fonzie couldn’t bail you out on this one. GDPR is one big nasty pirate which could sink your ship.
* GDPR states that you can only retain someone’s details where they Opt In and for legitimate business purposes. Whilst someone may choose to Opt Out, I believe this is still a legitimate business purpose to retain their details. Why? Say you opt out and your details are deleted forever, what then stops your recruiter or Sourcer from contacting them again and again? I’d recommend retaining their details in a segmented part of the system which easily identifies that they had previously been approached and are not interested. I would then suggest advising the individual this would take place to prevent future approaches and get them to opt in again.
Reference:
https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-21-australian-businesses-and-the-eu-general-data-protection-regulation 
 
Cover image: Shutterstock

Talent Acquisition (TA) is on the cusp of a new wave of innovation and the 12th Australasian Talent Conference will be shining the light on it – say hi to Artificial Intelligence (A.I.). Find out more here.