In short, absolutely. Although it may sound a bit like alphabet soup, it’s vitally important if you are doing business and/or recruiting in the European Union (EU) or the UK. GDPR, short for General Data Protection Regulation (GDPR) is an EU law with the aim of protecting all EU citizens from privacy and data breaches by strengthening protection of personal identifiable information (PII) and simplifying the regulatory environment for international business.
All entities doing business in the EU, or doing talent recruitment from there, must be in compliance with the GDPR law by May, 25, 2018. At that time, all EU member states will be required to follow the same data protection laws and requirements and you need to get your house in order prior to that date.
What Happens if You Ignore GDPR?
You get smacked with an enormous fine and it probably puts your job at serious risk.
“Breaches of some provisions by businesses, which lawmakers have deemed to be most important for data protection, could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater, being levied by data watchdogs. For other breaches, the authorities could impose fines on companies of up to €10m or 2% of global annual turnover, whichever is greater. – The UK Register
Imagine having to walk into your CEO’s office and telling him/her that your company is about to be fined 4% of your revenue?! That’s why you need to get smart on GDPR quickly and make sure that your recruitment software provider is moving quickly to ensure that you’re fully compliant before the deadline.
GDPR Does 8 Things for Data Privacy That You Need to Know
Here’s a quick overview of what GDPR includes and what it means for your recruitment strategy.
- Expands on the Definition of Personal Data: Expands on the definition of “personal data” beyond what was in the Data Protection Directive 95/46/EC. Under GDPR, the scope of personal data will include unique online identifiers, including IP addresses and mobile device identifiers, and geo-location data about a candidate/person.
- Enhances Individual Rights: Requires you to provide greater transparency to individuals about the data you are collecting—at the time of collection—and how that data will be used.
- Creates Direct Liability for Processors: Jobvite, or other recruiting software vendors, will now have direct obligations under the GDPR including implementing appropriate technical and organizational measures to protect personal data, notifying you of a breach, and appointing a data protection officer; that’s me at Jobvite.
- Imposes Organizational Requirements: Imposes several internal administrative compliance obligations for you and recruiting software providers that includes keeping documentation and records of activities and policies.
- Requires the Appointment of a Local Representative: Requires both you, and recruiting software providers, that regularly collect or process personal data from EU citizens on a large scale, to appoint local representatives within EU member states where they do business.
- Requires Data Subject Consent: Imposes new provisions codifying the ways that data is collected from individuals and requires their consent. Consent needs to be informed, specific, explicit, and in writing.
- Requires Prompt Reporting of Data Breach: Required to report a data breach to the GDPR authority when it, “is likely to result in a risk for the rights and freedoms of the data subject,” and that must be done within 72 hours of the breach discovery.
Make Sure You’re Covered By May 2018
As the Director of Information Security, I’m leading the effort and all Jobvite customers will be fully compliant prior to the deadline. We’ll provide frequent updates to customers on our progress, as we do with all important security and compliance-related information. Of course, this is in addition to other security initiatives underway including SOC 2, and many others.
If you’re not using Jobvite, then pick up the phone and call your recruiting software partner right now and get concrete answers about how the company is addressing GDPR and when their software will be compliant. Do it like your job depends on it, because it does.