The hot topic of the moment is GDPR. Due to come into effect in
May of 2018 GDPR or the General Data Protection Regulation has been
created in the European Parliament by which the Council of the
European Union and the European Commission aim to increase data
protection for all individuals data inside the European Union and
(post Brexit) the United Kingdom.
There is much uncertainty over GDPR from the I.C.O regarding enforcement due to lack of clarity regarding consent of data collection, however, we feel that if you follow the simple guidelines as set out in the GDPR then your business will be operating on the right side of the legislation.
The main points are as follows:
- Data security
- Intrinsic privacy
- Data processing transparency
- Data access and portability
- Right to be forgotten
- Data breaches
I will try to go over these main points separately and how they might effect your online recruitment platform.
Security of data should be the number one priority of any business. When a user enters information on to your website, they do so with an expectation that your website and associated systems will keep their data secure. Unfortunately this notion seems to have been lost over the years with poor low quality plugins and modules created by low quality developers more intent on making a quick quid than a secure and sustainable product than writing secure code, unfortunately the only one that suffers by this is you the recruiter because the buck stops with you if there is a data breach., it is you and you alone that has to report the breach, gets the fine and loses any credibility you had with both candidate and client when one of these inevitable breaches occur. How can you mitigate your risk? I hear you asking! You can mitigate your risk by choosing your recruitment partner wisely, assessing their product and asking questions. For example here is a recent search (November 2017) for the popular CMS system Wordpress and its associated plugins and themes https://wpvulndb.com/ It shows 9,256 vulnerabilities. There are many so called recruitment website developers that use this system, its themes and plugins to create your website so the chances are pretty high that there is already an attack vector in your website which could lead to a potential data breach. Two of the major data breaches in 2017 were on websites running Wordpress themes and plugins; these were big companies with large I.T departments so if it can happen to them it can happen to you!
Privacy is the bedrock of the GDPR and keeping candidate or user data secure (as above) and restricted to a subset of your employees is pivotal to your GDPR policy. Locking out prying eyes to sensitive data is integral to maintaining and audible paper trail for the ICO.
Data processing transparency
As far back as I can remember recruitment websites and job boards have collected as much data from candidates as possible with a very wide remit of how they intend on using or processing that data. They have shamelessly sold that data on to third parties, burying notification of this deep on their terms and conditions. With GDPR this will now be stopped by means of Data Processing Transparency. As a recruiter or job board you are now obliged to explain to the candidate in clear terms why you are collecting their data and what you intend to do with said data. You are also obliged to notify the candidate of ALL third parties whom you may send the data to; including ATS systems and third party CRM systems. Adding to this you also need confirmation from afore mentioned systems that they are GDPR compliant and they intend to have the same respect for the user data you have sent them including security. Knowingly sending data to a third party who is not GDPR compliant will likely result in a large fine.
Data access and portability
The GDPR also outlines criteria for users accessing data held on them and being able to export it in a format easily interchangeable between platforms. In laymenâ€™s terms this means that you must have a section on your website or easy path for a user to view and download data you hold about them. Downloading the data needs to be in an interchangeable format; two formats spring to mind here: JSON,XML, CSV plus any of their resumes you might store. Curretnly the law allows a Â£10 charge for this service, however, GDPR will abolish this cost and thus access requests will certainly rise. Also noteworthy is that under GDPR you will have to respond with the data within 30 days of the request.
Right to be forgotten
One of the main problems with a company holding userâ€™ data is be able to have them remove it from their database(s) and systems. Until now there has been no clear mandate that might force a company to perform this procedure, this is in part due to ambiguity toward data ownership once it hits the company systems and infrastructure. Fortunately GDPR removes the ambiguity and states quite clearly that users have the right to be forgotten. This means that your system must allow for a user to submit a form or contact you to process them out of your platform and forget them forever, failure to do this will likely result in a large fine. There are circumstances in which you can refuse to comply with the right to be forgotten, you can view these at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
Data breaches must now be reported to the relevant governing body (normally the ICO) within 72 hours providing they fall into certain criteria. The following quote from the ICO website explains this best
"You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals â€“ for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage."
Taking this into account and with the nature of candidate data (includes a lot of history regarding the candidate which may be used to commit identity fraud) you will most likely have to notify the candidate(s) directly plus the relevant governing body following a data breach on your recruitment website.
Is your current platform ready for these changes? Can it cope with these changes before they come into effect in May 2018? My suggestion is that you contact your developers and talk to them asking them to explain the ways they implement or intend to implement the main points of GDPR and if you get stuck give us a call, weâ€™ll happily explain the ways we already implement all of the above points and for the most part have been implementing them for years!
For more information on GDPR from the ICO website can can visit https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/