Patrick Amaral is the Chief Customer Officer of GR8 People, the enterprise platform that brings CRM, recruitment marketing, hiring and onboarding together. His extensive operations experience has helped facilitate smooth implementations for GR8 People customers in more than 30 countries around the world. Patrick's knowledgeable insights on GDPR are worth a read for those in talent acquisition looking for valuable and timely information.
What does GDPR stand for?
GDPR stands for General Data Protection Regulation. Its purpose is to bolster requirements that protect data subjects within the European Union (EU) from data and privacy breaches and strengthen rights around consent, access and control of information.
What are some of the implications for talent acquisition?
The core elements of GDPR focus on consent, transparency and access from the data subjects' perspective. For talent acquisition, we can think of data subjects as leads and candidates. With GDPR, for example, candidates should expect to be told in clear, simple, non-legalese what is going to happen with any data they opt-in to share. They should know why their information is being collected, who it will be shared with, and how long it will be kept. Candidates also have the right to see their data and request that it be removed or forgotten from the company's systems.
Is there a deadline for companies to get their "recruiting house" in order?
It needs to start now. Technically, the guidelines for GDPR were released in April 2016, but enforcement, meaning the ability to levy fines and penalties, will take effect May 25, 2018.
If you could provide a "Top 5" list of what companies should focus on, how would you prioritize or offer advice?
Did I mention I'm not a lawyer? Here is a list of just some of what we know our customers are doing and will need to do to be compliant with GDPR:
- Know your talent acquisition data. Where are the repositories, what systems share the data, and who is your contact for each system and/or third party?
- Review the internal processes for responding to a delete request from a candidate. Run through all of the "what if" scenarios, including what if the candidate made the request in error.
- Review data privacy agreements to ensure they are easy to understand, transparent and complete. Additionally, don't forget to look at your existing leads/candidates. Think about the approach and messaging you will use to get them to opt-in if they have not already done so.
- Educate your team on GDPR requirements. Knowledge is power when it comes to staying compliant. Every team member who interacts with leads/candidates should be aware of how data privacy rules have changed, the rights that leads and candidates now have, and how to respond to requests they may receive from this audience.
- Define your data retention policy. Be sure to consider how long you will keep candidate data before purging it and how that policy aligns with other data retention requirements you may already have.
What is gr8 People doing to adapt to these changes and ensure customers are compliant?
Technology can and should play a huge part in ensuring compliance. GR8 People is enabling GDPR functionality that includes:
- Hosting consent forms on any page where a lead/candidate can enter their profile, and blocking the upload of data if consent is not given.
- Automatic notifications are sent to leads who are uploaded to the system inviting them to opt-in to receive further communication.
- Tools that allow site admins to purge records of data subjects who have asked to be forgotten.
- Access to information if a lead/candidate requests a copy of all their data.
- Auto-notifications alerting that data will be purged because of retention period requirements, coupled with an invite to the lead/candidate to log back in and extend their time in the system.
Any final thoughts on the impact of GDPR?
I imagine that this new focus on consent might challenge talent acquisition teams to report on a new data set of metrics that, for example, measure the engagement of leads. Reviewing the percentage of leads that have opted-in, or the number of requests to be forgotten based on last contact with a user, will become important for driving change. Metrics such as these, like the regulations themselves, can help us all improve our overall performance and ability to recruit GR8.