If you’re recruiting candidates in Europe, you have until May 25, 2018, to familiarize yourself with and prepare a strategy for tackling coming changes to GDPR — planning and implementing solutions for complying with the requirements of the regulation. Otherwise, you could face potential non-compliance issues that could come as a result of not following the requirements.
Here’s a look at GDPR, the implications of non-compliance, and how organizations can prepare to meet the requirements of the updated regulation.
What GDPR Is
Adopted by the European Parliament in April of 2016, the General Data Protection Regulation requires businesses to protect the personal data and privacy of European citizens for transactions that occur within European states. Personal data includes names, photos, email addresses, bank details, posts on social networking websites, medical information, or even a computer IP address.
In addition, the GDPR regulates the exportation of personal data outside of the European Union, so understand how this impacts your global business. Essentially, whether or not you are physically located within the European Union, GDPR impacts your organization as long as you are processing and storing personal data of individuals who live there.
Key Changes to GDPR
The key changes of the GDPR include the following:
- Increased territory — GDPR applies to the citizens of the European Union, and it does not matter if your organization is located in Europe or elsewhere.
- Increased Penalties — There is a tiered approach to fines, but organizations who are non-compliant face increased penalties, both financial and reputational.
- Heightened Consent Regulations — No more gray area with obtaining consent. Organizations have to clearly request consent from users for data collection.
- Mandatory Violation Notification — A violation of data privacy must be reported within 72 hours, and all customers have to be notified as well.
- Right to Access — Organizations must provide information on personal data processing to any users falling under GDPR. Additionally, you have to provide those users with a copy of the personal data for free.
- Right to Be Forgotten — Users have the right to ask organizations to erase their personal data, no questions asked.
- Systems Designed for Data Privacy — Organizations must implement systematic changes designed to protect data privacy, and can only process data to complete the necessary tasks — limiting access to those who don’t need it.
- Appointing Data Protection Officers — Aside from internal recordkeeping requirements, some organizations will be required to appoint a Data Protection Officer if the core business activities revolve around data collection and systematic monitoring.
Here’s What Can happen If You Don’t Comply
According to a global research report from Ovum, two-thirds of businesses expect to have to change their global business strategies to accommodate new data privacy regulations, and over half of businesses think they will be fined due to the pending GDPR in Europe.
Whether or not you prepare for the GDPR changes, know what can happen if you are inadvertently or purposefully non-compliant. Here’s a look at the implications:
- You could be fined up to $20 million dollars or 4 percent of global sales.
- Claims for compensation will become significantly easier.
- GDPR regulators will require you to cease processing of personal data violations.
- For all data violations, the Information Commissioner’s Office will be notified within 72 hours.
Aside from the financial repercussions, organizations can face a blow to their employer brand and reputation, hurting their ability to be successful in the European states.
Prepare for GDPR Changes Now
Even though the updates to the GDPR won’t impact your organization until May of 2018, you should take proactive steps to prepare now so you greatly reduce or eliminate your risks of non-compliance.
Here are some areas you should take a look at first:
Put Together your GDPR Plan — Take the time to read through the GDPR and its updates, and prepare a plan that addresses how your organization will ensure each GDPR requirement is met.
Determine Appropriate Solutions — If your organization is recruiting candidates and accepting resumes and other personal data from European citizens, figure out how to comply with the GDPR requirement of collecting personal data and properly protecting it.
Implement Solutions Now — An example: you have to obtain consent to process a candidate’s personal data. This can be as simple as displaying a Cookie Policy banner on the top of your career site that provides users with the option to agree or decline to allow you to collect user data and store it in a secure database.
Work Out Issues Prior to Updated GDPR — By putting together a plan, figuring out solutions to adhere to the GDPR requirements, and implementing those solutions now, you’ll be better equipped to work out any issues with non-compliance prior to the regulation updates becoming effective.
image from bigstock