This months blog contributor is regional committee member and Director of Careerwise Mike Morrissey.
A very relevant topic for this month!
Here at CareerWise our guiding principle is to do the right thing because it is the right thing to do! This concept has guided our decisions since our establishment in 1999. It is this concept that has also guided our transition when it comes to GDPR.
Many professionals who look at GDPR see sanctions and headaches. We looked at GDPR as a chance for improvement. The purpose of GDPR is not to punish but to harmonise rights across the EU. It is to protect the individual but not at the expense of good companies.
By and large GDPR can be daunting and for some it may even be tempting to ignore the regulation and bury your head in the sand. However, when you keep the purpose of the regulation in your mind, as opposed to the possible sanctions and take it step by step, you will begin to see the benefits.
Is compliance expensive?
You will see many adverts for products that can make you GDPR compliant. However, it is important to note that NO product can do this – you cannot completely outsource GDPR. What you need to determine is the course of action based on your company – its size, its budget, its personnel, the complexity of processes etc.
What you should invest in are the people first. The majority of data breaches occur due to human error. Proper training can equip employees with the knowledge to do the right thing. Human error will always be a risk but proper training will mitigate the loss, for example, an employee should know to report a lost device thereby allowing the organisation to take action.
If you have always incorporated Irish data privacy into your company then you already have a head start. It is a good opportunity to audit your pre-existing policies while implementing the changes that GDPR will bring. Appointing a relevant person and ensuring that they attend relevant training days is a good place to start.
So, what did we do?
Our first step in ensuring compliance was to re-assess all the data streams and flows. We asked ourselves the following questions where personal data is involved:
- What was the purpose for which it was collected?
- Is this purpose still valid?
- Would the person be surprised if they learnt how we were processing their data?
Once we had this determined we could risk assess our processes to identify gaps.
Constant communication has always been a feature of our processes
The main thing that we kept in our mind, at all times, was the need for transparency. A person has the right to know what we are doing with their data and why. Constant communication has always been a feature of our processes but the need to document communications on the client file as required by GDPR, was re-enforced to our employees.
For the processes which did have gaps, corrective actions were identified and implemented. Minor changes to our day to day operations allowed us to ensure data privacy was included in all processes.
We tightened our retention policies and updated our privacy policies. We opened a dedicated email address for data queries and put a process in place for dealing with all types of requests. Employees were trained in data privacy and the updated procedures.
While this was a huge undertaking we believe that it provided several opportunities to improve.
What did we learn from a recruitment perspective?
In recruitment we have this idea of CV ownership. While we always ask the persons permission to post the CV for a role it was wrongly presumed that we owned that CV. Often, clients would include a clause in relation to the transfer of CV ownership after a period of time. This has been an accepted practise in recruitment.
One thing that is now obvious, there is no such thing as CV ownership. We cannot own that data as it is personal and/or sensitive data and so belongs to the data subject. We may have their permission to post the CV for a specific role, however, the client does not have the right to retain that information beyond that role. Ownership cannot pass from the recruiter for the simple fact that the recruiter is not the owner. Possession is no longer nine tenths of the law – consent is.
We also learnt to keep privacy embedded in all our actions. If it is maintained on a daily basis it becomes engrained in our culture. It then becomes second nature to our employees.
Consent can no longer be implied
The main thing we have learnt is that consent can no longer be implied just from an email with an attached CV. A recruiter should reach out to that candidate explaining how the CV will be processed and obtain explicit consent for same. This concept follows through to instances where a CV is submitted for a specific role. Consent is only in place to process that CV in relation to that role, any further processing (such as retention) requires explicit consent. A recruiter can no longer take a PDF from LinkedIn or a jobs board without first contacting that person for consent to do so – this is good practise anyway as it saves effort where a candidate is not particularly interested in leaving their current role.
We can no longer put policies and procedures in place and hope for the best. These need to be adaptable to our everyday environment and changes in regulations.
GDPR is not a new concept it is just harmonising existing laws across the EU together with some improvements. For this reason, it is not something to be feared. It is manageable once you commit to a strategy and follow through! It does not have to be perfect first time round, all procedures implemented will undergo a process of continuous improvement.
Best of luck and remember small deeds done are better than great deeds planned.
NRF COMMITTEE MEMBER SOUTHERN REGION