By Steve Richards, DaXtra Product Development Manager & Group DPO
After years of anticipation, it’s hard to believe May 25, 2018 – the day the EU’s General Data Protection Regulation (GDPR) will take effect – is just a few weeks away. Some of us in the recruitment industry are well prepared, while others still have their heads in the proverbial sand. Either way, GDPR is a big deal, with some commentators labelling it “the biggest shakeup in the history of online privacy regulations.”
While it’s true that GDPR, like any new regulation, will inevitably create more paperwork, what’s often overlooked is that it is overwhelmingly a force for good in the recruitment industry.
To put it in simple terms, GDPR is the advent of a new era of accountability for those of us tasked with managing sensitive candidate data – and the overall effect should be a net-gain of trust and productivity for the recruitment industry.
How so, you ask? Well, for starters GDPR should help put candidates at ease. They should feel less afraid that a dishonest and self-serving company is going to misuse their data or violate their privacy. And on the other side of the equation, GDPR should help recruiters become more confident that they aren’t crossing red lines and opening themselves up to legal liability.
Explicit consent is the new normal - globally
First, let’s summarise why GDPR matters globally, even though the regulation originated in the EU.
One way to understand GDPR is that the EU is simply trying to strengthen privacy protection laws in a manner that fits the wild, untrammeled nature of the digital economy.
As we all know, information sharing via the Internet and other digital devices has exploded over the past decade, but privacy laws are struggling to keep up, leaving many of us in the dark about how our digital fingerprints are being monitored, packaged, and sold.
GDPR will impact all firms handling data from EU citizens and businesses, even if those firms are operating outside of the EU. The regulation also protects the privacy of persons living in the EU – even though they might not be EU citizens. You get the point: it’s best to approach GDPR as a global, rather than an EU-only regulation.
Nowadays, there seems to be a globally-relevant data scandal on the front pages on a weekly basis. The recent fiasco at Facebook comes to mind as the most high-profile breach in recent weeks. The social media giant is accused of inadvertently allowing data research firm Cambridge Analytica to access data from millions of users without their consent, unleashing global condemnation and an appearance in front of US Congress by Facebook founder Mark Zuckerberg.
While certainly not a cure-all, GDPR should help recruiters and RecTech firms avoid similar quagmires. The regulation will nudge recruiters to constantly justify how they collect data and to stay transparent about how they intend to use what they collect. Candidates will have to grant consent before recruiters use their data, and they will also have the right to request that recruiters delete their data upon request.
With GDPR, explicit – rather than passive – consent is the new normal.
Illustrating a new level of consent for candidate data use after GDPR
Burden of the data controllers
In this new GDPR-compliant world, the biggest onus is on recruiters – or, “data controllers” – who now, among other responsibilities, must ensure candidates grant written permission to share their data. Gone are the days when recruiters could freely share candidate data with a potential employer or ask a candidate to quickly tick the box on a 20-page T&C document.
Meanwhile, RecTech providers such as DaXtra – or, “data processors” – must demonstrate that all candidate data we receive is above board and that our software is GDPR compliant.
Of course, that’s easier said than done, given the volume of CVs we process. Moving forward, we will have contracts with our suppliers that affirm all data we process is GDPR compliant.
No policy or regulation is 100 percent fail proof. But from here on out, we will all have to audit and document our processes and always be prepared to show regulators that GDPR compliance is embedded in the DNA of our workflows.
Data controller vs. data processors
The role of RecTech firms
What does all this mean for RecTech firms? Well, at DaXtra, we’re busy ensuring our business is GDPR ready. This should make the compliance burden easier for our clients, whether recruitment agencies or HR departments.
The GDPR-related investments we are making across our entire product suite is our bet that demands for greater data privacy will continue to increase amongst all our clients in every market we serve, from Europe to North America to Asia.
Hopefully these improvements will foster trust among our clients, creating a positive feedback loop in which both clients and candidates can rest easy that privacy breaches are a thing of the past.
It goes without saying that GDPR compliance will create a few headaches. But the good news is a new era of accountability is upon us. We know all too well the outrage that ensues when our data is misappropriated. With GDPR in effect we’ll become more adept at avoiding data breaches and similar reputation-destroying fiascos in the future.