Sticking to the Rules

HR Outsourcing

New EU data privacy rules will affect recruitment across borders. Here’s how to ensure compliance.
By Seb O’Connell

Imagine an employer receives a tip regarding a talented individual residing in Europe who might be a good fit for an open position at their organisation. The tip includes an individual’s name, mobile phone number, address, personal email address, and gender. The source did not receive express written permission to send this information, but was simply trying to do the employer— and the individual—a favour.

Or, as another example, someone who sits in a U.K organisation (that operates across the globe), has access to a database of contact information for employees worldwide. Staff from outside Europe also has access to this database to conduct regular business.

These situations take place regularly for global organisations, but in both of these examples, one might be at risk of non-compliance with the European Union’s new personal data privacy regulations—the consequences of which could be a fine large enough to bankrupt a company.

Ramifications of the EU’s New Privacy Rules

The European Union (EU) published an overhaul of its personal data privacy rules in May 2016, and each EU state is expected to write these rules into law by May 2018. Adherence to these rules is not negotiable. Regulators will be able to impose fines of up to €20 million, or 4 per cent of global annual turnover, for non-compliance.

This is more than just a European issue. It affects organisations across the globe—and recruitment in particular. Recruiters pass along information to hiring managers and employers on a daily basis. Talent acquisition’s ability to find and recruit the most capable individuals hinges on the accessibility and free flow of such information.

So the question is not whether these regulations will affect recruitment, but rather how organisations should prepare to adhere to them without losing their ability to reach the best available talent. Some suggestions could be as follows:

Get Organised. The first step is to get organised. It is certainly worth performing a total information audit to understand exactly what information you have collected, where your information is coming from, how long you have retained it, etc. One could wager that many companies do not have accurate records of how they acquired certain candidate information. That will not be acceptable moving forward, so now is the time to make sure you can account for every piece of personally identifiable information.

Take Only What you Need. Only collect what you need from here on out. If your databases hold any information beyond what is ‘reasonably expected’ for an applicant, you must prepare to purge that information or acquire permission from the individual to retain it. Even so, consent is not always enough to prove that you are compliant, as the language you use to obtain it may not be 100 per cent in step with the law. Certain items such as sexual orientation, gender, or ethnicity are line items that may fall outside the category of what is to be reasonably expected. With that in mind, organisations may wish to review the information they have collected in the past, whittle it down to the fields that are relevant in a majority of situations, and develop strict policies on the type of information they will collect and store in partnership with their legal team.

Partner with your Legal Team. Recruitment Process Outsourcing service providers advise clients on how to acquire the best candidates. Going forward, talent leaders will need to understand what they are asking their RPO providers to collect, as their organisations will ultimately be held accountable for that information. Legal teams are experts at keeping organisations protected from fines and lawsuits and ensuring that companies adhere to best practice. Companies must consult with them to ensure they are taking appropriate measures to prepare for the new privacy rules.

Other important steps include:

  • Implement stringent database security. Information keepers are responsible for the security of personally identifiable information, and will be held accountable for keeping it secure.
  • Deploy technology that can present stored information to candidates on-demand in a manner that still maintains a quality candidate experience. Employers must also be able to show why they obtained this information, what they plan to do with it, and have a mechanism that allows the candidate to express their permission for them to retain the data – or demand its erasure.
  • Review each EU member state’s local laws related to data privacy. Employers cannot just apply the strictest of the EU privacy laws across the board.

Yes, the new privacy laws will affect recruitment across borders. It will become more complicated than it was in the past. But organisations have nearly two years to make the proper preparations and minimise these complications. In fact, the quicker a company is to prepare, the better positioned they will be to find and recruit the best available talent whilst remaining compliant with the new legal requirements.

Seb O’Connell is the managing director, Europe & Asia Pacific, at Cielo,

Posted October 31, 2016 in Uncategorized

Leave a Reply