HR Professionals are no stranger to navigating complex compliance and legislation, but in a matter of months we will see a significant shift in the way in which organisations are required to collect, store, use and share data. From May the 25th 2018, a bundle of new rules known as the General Data Protection Regulation (GDPR) will be introduced – but how can HR leaders harness this shift to bolster employee engagement and talent attraction strategies?
Under new GDPR rules, an individual has the right to; transparency around the use of their data, access to their data, correct inaccurate data, have their data deleted when there is no ‘compelling’ reason to process it, block processing of their data and obtain and reuse their own data across different services. Crucially, data processers and controllers will have to receive ‘consent’ or ‘explicit consent’, which is freely given though clear affirmative action, to use any information when there is no ‘legitimate business interest’ to hold it. This is in contrast to ‘implied consent’ which businesses have historically relied on in the form of silence or pre-ticked boxes. Consent must also be verifiable which means records must be kept to show how and when consent was given, but as yet there is no precedent as to how this works in practice.
HR functions, of course, have a legitimate reason for holding employee data to use in day-to-day HR operations. However, where there is any ambiguity, around occupational health records, for example, extra care should be taken.
For this reason, it is important that HR departments begin by understanding what data they currently hold, where it is and how it is being used. If HR leaders haven’t already started a data mapping exercise, now is the time to begin. Document what personal information you hold, where it came from and who you share it with. Also, use the months before the introduction of GDPR to review contracts of employment and employee data protection policies. It is also advisable that HR leaders mitigate against data breaches by ensuring that data security is at the forefront.
These changes also offer an opportunity for an internal communications campaign which not only explains how the company is managing employee data, but also how staff can ensure they are compliant in their own operations.
Aside from managing the data of existing employees, the introduction of GDPR presents an opportunity to supercharge strategies around recruitment and talent pipelining. The new rules offer a catalyst to review and strengthen existing engagement strategies to ensure they are tailored, relevant and engaging. By confirming if potential recruits are happy to receive communications from your organisation, future recruitment initiatives will not only be fully compliant, but more efficient.
There is some ambiguity where third parties are involved in the recruitment supply chain. It is anticipated that candidates will give explicit consent for their CV to be on a job board and it is likely that they will be given options around how broadly their data is used by organisations which advertise on them. Similarly, looking at social media, it is likely that potential employers and recruiters will continue to be able to contact people and download CVs via LinkedIn, but their agreement with the platform will change, as will processes once the data hits internal systems. It is advisable that you work with professional recruiters which are members of a recognised trade body to ensure the recruitment supply chain is compliant.
Finally, don’t buy into the scare mongering. These laws aren’t about fines, they’re designed to protect personal data – data that ethical organisations hold for a legitimate reason. Take the introduction of GDPR as an opportunity to clarify internal data processes and build trust – and your brand – amongst target stakeholders by becoming more transparent.