May 25th is fast approaching and there’s no doubt every HR department, along with their colleagues in IT are in the throws of ensuring the company meets the GDPR standards. We’ve looked at one specific area, your employee referral programme, to help you ensure you remain compliant with the latest regulations. We’ve identified 7 tasks to look at:
- Advertisement -
People handing in CV’s will no longer be appropriate. When collecting data you will be required to ask for permission to use it. An employee handing in a friend’s CV for consideration is not direct consent from the person applying for the role. You’ll need to do a couple of things to stay compliant. One, email the candidate looking for consent to use their information and how you intend to hold their information. Secondly, Digitalised the CV and shred the original, so that personal data isn’t left sitting on a desk.
You must have the appropriate levels of security for any data you store. This includes security encryption and access controls. Again a CV left on your desk is not secure. As the company representative, which makes you a data controller under the legislation, you are fully responsible for protecting candidate data and using it lawfully.
Emailed CV’s: If an employee emails on a CV or if they pass on your email address and the candidate applies directly to you, you should always go back with an email acknowledging their CV and how you intend to use the information. GDPR requires you to tell someone that you are collecting their data and how you are going to use it.
Data breaches must be reported to the affected people. They must be informed of how the data breach may affect their personal information within 72 hours.
You have to provide a candidate with the opportunity for them to request that you stop processing their personal data. In that instance, you must locate every place you are holding their info (e.g in the HireUp referral app, an ATS or a spreadsheet) and delete it within one month of their request.
Building a talent database. Keeping historical records of candidate information, for cases such as future job vacancies, is not legal under GDPR unless you have specifically made it clear to the candidate that you will hold their information for a further set period of time and allow them to request that it is not kept.
GDPR will apply to any data already held, so quickly review your current databases, spreadsheets, physical documentation etc to ensure it’s deleted if not compliant or that you go back to the individuals whose data you hold and request to keep it for a specific time. It’s a great time to do a full cleanse on your database so you only have relevant candidate information.
There’s certainly plenty to consider to become GDPR compliant so it’s worth automating what is invariably a manual programme to avoid any future difficulties.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.