In the vast sea of unanswered, unsolicited and red-flagged emails inundating our HR inboxes (from job applications to recruiter approaches), it’s easy to assume that the days of following GDPR regs have come to an end. Whilst the initial fervour around having to ‘opt-in’ to any communications may seem like a thing of the past, rest assured that when it comes to HR, GDPR compliance should definitely still be on your radar.
According to the ICO (Information Commissioner’s Office) website:
Whilst EU GDPR is an EU Regulation and no longer applies to the UK, if you operate inside the UK, you need to comply with the Data Protection Act 2018 (DPA 2018). The provisions of the EU GDPR have been incorporated directly into UK law as the UK GDPR – so, in practice, there is little change to the core data protection principles, rights and obligations.
Source: ICO Website
There you have it. For HR Managers and in-house recruiters, GDPR should be an ever-present concern and the original rules and requirements still followed. While the limelight often shines on marketing teams and IT departments in discussions about GDPR, remember that HR functions handle a wealth of personal and sensitive data too – from employee records to job applications.
Fundamentally, GDPR compliance isn’t just about marketing campaigns or securing online transactions. It’s about safeguarding the personal information of individuals across all parts of your business operations, including your workforce (and potential future workforce). As such, it’s imperative for HR managers and recruiters know their legal obligations to ensure compliance.
Understanding GDPR Regulations in Recruitment
When it comes to collecting personal data in recruitment processes, job applications, working-time records, payroll information, employee files, and maternity/paternity records all fall under the GDPR’s purview. Here’s a breakdown of the key considerations:
- Data Collection: You need to obtain explicit consent from candidates before collecting their personal data, clearly outlining the purpose and usage of the information. Make sure you add a tick-box consent option with a summary of this on your application forms or consider creating an auto-response email to applicants that confirms you’ve received their data and what you plan to do with it.
- Data Storage: Only retain necessary personal data for as long as required, adhering to specific retention periods outlined in GDPR guidelines (see below). Plus, consider where this information is saved – CVs kept in your inbox (or even those of the hiring manager) make it harder to remove data once the retention period has passed and are more open to spam attacks and phishing.
- Privacy Policies: Ensure that all employees, both current and prospective, are provided with up-to-date privacy policies detailing how their data is handled and protected. It’s a good idea to have regular training in place too, with specifics on how this impacts on HR and recruitment processes for anyone involved in these areas of the business.
Conduct a GDPR Compliance Audit
If you’re not sure how your current policies and processes compare, it’s a good idea to conduct an audit of your data practices. This includes reviewing the types of information stored, the reasons for retention, accessibility, accuracy, and security measures in place.
If you originally put plans in place when GDPR first came into effect, scrutinise whether these measures are still being followed and check whether data is being deleted and disposed of as it should be.
Find out what’s happening when requests come in from applicants or employees about their data, who receives these and how they are actioned.
Key steps to completing a GDPR compliance audit of your processes should include:
- Document Review: Assess all documents and data types held by the HR department (and others), identifying areas for improvement or potential risks.
- Data Management: Determine who has access to sensitive data, how it’s stored, how long for and how it’s securely disposed of when no longer needed.
- Accuracy: Ensure that all data held is accurate, up-to-date, and relevant to the organisation’s operations.
Record-Keeping and Data Retention
One of the most common questions we’re asked is – how long can we keep records for? Here’s a breakdown of the main data you’re likely to be holding when it comes to your employees and how long to retain it for:
It’s a good idea to check out the latest Data Protection requirements on Gov.uk as these are regularly updated as things change.
GR Consulting’s Top Tips for GDPR Compliance in HR
- Implement robust data protection measures, including encryption and access controls.
- Provide comprehensive training to staff members on GDPR principles and compliance procedures.
- Regularly review and update privacy policies and data handling practices to reflect evolving regulations.
- Foster a culture of data protection and privacy awareness across the organisation.
- Consider penalties for non-compliance.
The last item may seem extreme, but remember that at an organisational-level, non-compliance with GDPR regulations can result in hefty fines, damage to reputation, and legal repercussions. Depending on the severity of the violation, fines can amount to millions of pounds or up to 4% of the organisation’s global annual turnover.
In summary, GDPR compliance is not a one-time task but an ongoing commitment for HR managers and recruiters. By understanding the regulations, conducting thorough audits, and implementing best practices, organisations can navigate the complexities of GDPR while safeguarding the privacy and rights of their employees and candidates.
If you’d like to learn more about your company’s or HR team’s GDPR compliance requirements, get help with an audit or put best practice data protection processes into place, please get in touch with the GR Consulting team to find out how we can help you.