GDPR is fast approaching and enforceable from 25th May 2018. As of today (in October 2017), that is only circa 150 working days – unless you are planning on working Christmas holidays and the weekends!
Many organisations and recruitment businesses are in full flow working towards the changes but there are still many that are so far, not fully aware or just simply ignoring the regulations, thinking they are just another guidance for best practice or even, an estimated 15% think that post Brexit GDPR will not apply.
GDPR is law in the UK from 25th May 2018 – then it will be enforceable and will remain in place beyond Brexit. At the same time, the ICO will have at least another 100+ enforcement staff from May 2018 to process & investigate reported beaches.
I’ve had a gander at what organisations are up to and looked to find out the what’s what of GDPR in recruiting terms and I can say that so far, it is on the one hand straightforward but on the other, a minefield of processes and systems to implement and the recruitment fraternity is still trying to grasp and clarify requirements of the new legislation including the REC and APSCO seek the same.
For good or bad, GDPR does not, however, define any specific data protection controls that an organisation must follow. Each organisation is allowed to determine, for itself, the necessary security controls for the collected data, confidentiality and risk.What?!!
A white paper published last year by the International Association of Privacy Professionals (IAPP), which claimed that the Regulation will create a demand for 75,000 data protection officers (DPOs). A large number of organisations are using training courses, staff awareness courses and documentation toolkits Additionally, a significant number of organisations are investing in consultants and GDPR gap analysis products. It is clear however, there is apathy and lacklustre and therefore hundreds of thousands of UK businesses are potentially at risk of huge fines for non-compliance.
Consent & Subscription
From May 2018 candidates (citizens) must now give explicit consent for their personal data to be collected and used and they can request their personal data be deleted when it is no longer required. As well as a right to be forgotten, candidates can at any time withdraw consent and there will be penalties if you are not working with GDPR best practices.
Recruitment businesses as per most organisations have normally relied on the individual’s implied consent as the basis for processing their personal data. When a candidate submits their CV, this is generally treated as broad implied consent to use the candidate’s personal data to put them forward for the specific roles they want to apply for and also to carry out any processing allied to perform the services including contacting them about future vacancies which the recruitment business believes may be of interest to them in the infinite future. Under the GDPR, consent must be freely given and be specific for data being used in a certain way – previous implied consent will not be sufficient to amount to consent.
It is an organisation’s responsibility to demonstrate valid consent, else it could be at risk of enforcement action. Clear records will need to show a date of consent, what has been consented to, the method of consent and who obtained it, and these may be needed as records of evidence in the event of a complaint.
So – would your candidates now become subscribers as such? and I wonder would they need to double opt-in?. Simply, they respond to a job and then you ping back [the data subject] asking confirmation that they opt in and you in the same communication provide a complete rundown of what your processes are, what you do with their data and when you will delete it. At that point I think the communication would need to be loaded with some value (maybe content?) in order to promote a positive reply, for example, setting out briefly why ‘you’ and why should they be opted in [to your business/service]; what’s special about your company service anyway (in a meaningful way to the data-subject). In this case, do be mindful that a conditional choice is not forced and consent is still freely given.
For your client contact, then that is data that is B2B right? So rather than they opt into communications, they can opt out under Privacy and Electronics Communications Regulation law (I don’t think that would get communigators out of having to comply with the GDPR anyway!).
Automation would be a big part of these processes and application via your portals will very much deal with the process if designed correctly. For existing records and new records, directing back to your subscription/registry service for the double opt-in prior to getting to your ATS may be a key factor in compliance as well as reducing the risk of the severity of breach (should that happen) as well as of course, heavy fines.
For existing records, According to the ICO, you are not required to automatically refresh all existing consents sought under the current Data Protection Act (assuming you have such and actual existing consents). However, your existing consents need to meet the GDPR standard.From 25th May 2016 – your data hold will be a liability or more of a liability; contacting those subjects may be putting you in breach.
Field of Breaches and Britches..
In the run-up to GDPR, ICO fines have been rocketing upwards of 100% year on year. As things stand, the ICO can apply fines of up to £500,000 for contraventions of the Data Protection Act 1998. Once GDPR comes into force on 25 May 2018, there will be a two-tiered sanction regime – with lesser incidents subject to a maximum fine of either €10 million (£7.9 million) or 2 percent of an organisation’s global turnover (whichever is greater). The most serious violations could result in fines of up to €20 million or 4 percent of turnover (whichever is greater). This represents a big increase – for example, looking at Talk talks recent fine of 400K – which is no small amount of money, had the breach taken place after the General Data Protection Regulation had come into force, the punishment for the company’s negligence would have been considerably more: £59 million, to be exact.
In 2015, Wetherspoons was one such organisation to experience a data breach, when over 650,000 customer records were stolen. That’s four times as many that were taken after the attack on TalkTalk around the same time. Not even the UK government is safe, after an embarrassing data breach of its own educational cybersecurity site, Cyber Essentials.
Unfortunately, even this process of emailing asking for opt-ins is fraught with danger – as the likes of Honda and Flybe experienced. In trying to ‘re-permission’ its customer database (emails asking them to update their details and/or confirm their marketing preferences), they were, in fact, contravening existing data protection laws by communicating with those who had opted out of such emails.
As ICO Head of Enforcement, Steve Eckersley put it, “Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law… Businesses must understand they can’t break one law to get ready for another.” The companies were fined a total of £83,000.
It must be sensible to clear out and validate your data now and not wait until post GDPR! It’s also important that your team are informed of the new regime and the importance of safeguarding personal data. They must also be made aware of the penalties which your agency could face.
GDPR is about accountability and the ICO are determined to bring companies breaching the GDPR to account being ultimately the directors and the holding companies.
A note on Cyber Security..
Whilst GDPR is not directly a part of Cyber Security, Cyber very much may be a cause of a breach and therefore risk to the company in respect of the new legislation. It is clear that although the cyber risk is growing in prominence, not all company directors are well informed about the issue. Most breaches, however, are likely to be ‘not’ a cyber or hack related. I think generally this is circa 18% that is Cyber related. Breaches mostly start life internally – that is, people, system or process errors. Likewise, simply leaving a laptop on a train is a breach and so too is a member of staff accessing data they do not need to see. Within the company, there are many risks to contend with and each member of staff is a potential breach risk – this is however mostly accidental such as a business process or system mistake rather than intent.
Only 1% of boards are reportedly described as fully informed and skilled in respect of cybersecurity. Similarly, a UK government survey conducted by PwC showed that just 42% of 9,700 executives in over 150 countries said that their boards are involved in security strategy, and only 25% said that their boards are involved in reviewing security and privacy threats. Despite this apparent lack of board-level input, it is undeniable that cyber risk affects practically every business. According to a survey commissioned by the government, nearly nine out of ten large organisations have suffered some form of a cybersecurity breach. The cost of a major cyber incident is likely to be significant. For example, studies have shown that the estimated average cost of a data breach in the UK financial services sector is in excess of €4 million. In addition, the global shift towards a digital economy means that cybersecurity and the protection of personal data are subject to increased legal and regulatory scrutiny. New legislation in a range of jurisdictions, most notably in the EU under the new General Data Protection Regulation (679/2016/EU) (GDPR), will see organisations being held to higher standards than ever in terms of their use of personal data, with severe penalties for non-compliance. For more visit http://bit.ly/2uMMAzp
Things companies will need to have in place as far as the GDPR requirement goes..
A requirement for the Public Sector or companies that at the core, are processing large amounts of personal data, is to appoint a DPO – Data Protection Officer. All public sector organisations have had that enforced upon them for some time. It is not an admin function. It is very much in at business strategy level. The DPO is usually a director / snr person as this is a responsible position given the risk of noncompliance. The DPO would be an expert in compliance as well as a high-level knowledge and understanding of IT systems, business process and Cyber Security. Some companies are hiring a third party specialist / DPO to design & implement the changes and plan to appoint for the role internally. Of course, many organisations already have this expertise in-house.
Responsible to and under the DPO (in terms of GDPR scope) is the Data Processor (essentially anyone accessing handling data eg all staff, data centres, cloud services, online services such as time sheeting, CRM suppliers etc) and also the Data Controller (some staff and suppliers).
Audit what you have and understand what you have and where?
What Personally Identifiable Information (PII) data do you have, use, store?
Where is It (in what systems and physical locations, laptops etc)
You must classify data types across your organisation
You must control access to data, for example, who can have access and what they can do with and where they can store it or send it to. Organisations must Log and track access to personal data for accurate reporting and therefore must maintain records of all processing activities and be able to easily report on personal data use and processing compliance. Having the ability to prove that you are tracking who accessed what data is a must. Technology solutions such as Forcepoint, Sprion & Digital Guardian can help with such auditing, access control and classification/tagging of data-sets. Having the right reporting capabilities in place will allow organisations to demonstrate proof of GDPR compliance, satisfy internal and external audit requests and quickly prepare the information required for reporting breaches to supervisory authorities and individuals.
You would need to compile a Data Sharing Impact assessment. Where is your shared data and what impact would that have should it be compromised.
Under the GDPR, the relationship between parties who share data among themselves will become much more heavily regulated. If you share personal data with third parties (such as RPO companies, umbrella companies or payroll companies) then you must have a GDPR-compliant data sharing agreement in place.
Contracts & Suppliers
Consequently, you should review, and possibly amend, your contractual relationships with all those with whom you share your candidate data with to ensure that they meet these new requirements and this includes for data centres/cloud suppliers or anyone that is considered a data processor (recruiters are likely to be both data processor and data controller).
Encryption & Pseudonymisation
Encryption is a big reducer in risk when it comes to data. Organisations will be able to relax more should all data be encrypted – if hacked then the chances of the hacker being able to decrypt the data will be minimal. Recruitment software vendors will have to get their act together in providing solutions with built-in encryption. Such encrypted data would need to be reciprocated where data sharing exists to external systems. However, the problem is most people work out of systems with repositories of data and duplicate data everywhere and in applications without encryption eg. in email/outlook/folders/spreadsheets/laptops/cloud drives etc. This also presents problems where a data subject – your customer/candidate requests their data to be deleted – you have to know where it is. Companies that encrypt their personal data also gain the advantage of not having to notify data subjects in the case of a breach. (They still, though, would have to notify the ICO).
We are a long way from fully encrypted systems and such applications that talk to each other, but organisations must make a start to encrypt data especially portable formats. At the moment, fully encrypted systems including controlling file systems would be very expensive and I think to a large extent, actually limit or strangle a working desk to a halt! At least encrypt portable data but a big part of reducing risk is to reduce the amount of data you store and only store what you need. Why have out of date data that is of no value but increases risk?
On the other hand, Pseudonymisation – a process of replacing personal data with artificial identifiers is a GDPR-approved technique. The idea is to replace personal identifiers with a random code just like writers using pseudonyms to hide their identities. There would be a mapping to the real data but the personal data is hidden from the employee. In recruitment, I cannot yet see how this would work in dealing with real people by name. People and relationship is our business. Ok probably will be suitable for a call centre – your just a customer number!
Security by design
Until such time you are 100% encrypted or/ and operate pseudonymity it will be imperative and indeed a requirement, to include security & privacy by design in all business and project design processes – at least from this day forward and to be able to demonstrate this if required to the ICO. Privacy by design is an approach to projects that promote privacy and data protection compliance from the start. Unfortunately, these issues are often bolted on as an after-thought or ignored altogether. Building this into processes and designs at the outset allow organisations to find and fix problems at the early stages of any project, reducing the associated costs and damage to reputation that might otherwise accompany a breach of data protection laws and regulations.
The introduction Mandatory Data protection impact assessments
A risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers will be required to conduct privacy impact assessments where privacy breach risks are high to analyse and minimise the risks to their data subjects.
It would be also important to align ISO9000 and ISO 27000 systems in the proper spirit and function as well as at the same time ensure the business continuity plan and disaster recovery plans are firmly in place with built-in security in its design and methods.
You will need to create an Incident Response Plan (do check out the links below including the facts you really need to know from Danny McShane of Tellemachus
Plan: What ICO needs to know – Following a breach you need to inform the ICO within 72 hours.
- How the data was lost
- What data was taken
- What data is untouched
- Which user accounts were involved
- A description of potential consequences of the breach
- What mitigations are placed/planned
- Date & Time of breach
As well as systems breach or hack being discovered, you must inform ICO. You will need systems in place to know what is lost and what records are breached. Your incident response team will meet to discuss the risk and also the response required.
Plan: what the data subjects need to know
The ICO will want evidence that you have done the following –
You must inform the data subjects as soon as we become aware of a breach of their data –
- What happened
- Date and time it happened
- The date and time we detected it
- Basic information about the breach
- What information has been compromised
- What actions we have taken
- What we are doing now
- What the next steps are
- Who they can contact about concerns
GDPR can be split into two areas that change is required (that this legislation touches); either business process or technical –
Business process changes
- DPO becomes mandatory
- Active compliance management needed
- Breach reporting will be mandatory
- Data must be used for the purpose it was collected
- Consent must be freely given for the collection of PII
- Data must be available in a portable format
- Data must be permanently erased if requested (or under right to be forgotten)
- Data must be accurately and securely stored
- Data source must be a mandatory field
- IP addresses are classified as personal data and must be erased
- Software product sets that can classify, control access to and provide audit trails across a business
Finally, the 6 GDPR principals relating to the processing of data that you have chosen to hold can be boiled down to you as a business complying with these 6 point principles –
- Process lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and where necessary, kept up to date
- Retained only for as long as necessary
- Processed in an appropriate manner to maintain security
Legitimate Business Interests? I’m not going to tackle this here as it will depend on your business model and many other factors. I may be back on the case soon, however!
Turn it into something positive.
GDPR is largely seen in a negative way – as another hoop to jump through as per IR35, AWR etc.
Remember that it is to also protect you as a citizen and gives you more control over what personally identifiable data that companies hold on you and what they do with it.
My take is that it will actually make businesses more resilient. I do not cover this here but is also an opportunity to connect better with your audience as there are touch points along the way.
I am no legal expert however so do check it out for yourself. I do know my recruitment stuff though – but I think problems and arguments will happen for a long time while organisations get to grips with the interpretation of the GDPR terms of references/articles of the law and working this into their particular business. No need to risk a big fine, however – so acting now is the real solution. Remember, the regulation principles above are not only fair but sensible and will make a company better and more resilient.
You must agree (ok – only agree if you want to), that we need a step up in cyber and data security mindsets – in this world where hacks and breaches of our personal data is strife, as well as wars against and from hostile nations, will be fought in cyberspace where we and our nation’s infrastructure is under attack.
Cyber Crime is the most common crime in the UK with 50% of companies hacked in some way in a 12 month period, yet most companies are still not waking up to this nor implementing the most basic or best practices in protecting data they have and so the need to regulate is greater than ever – hence EU GDPR.
In the meantime, recruiters will have their work cut out to fulfil huge global cybersecurity skill-set demands, keep innovation moving forward as well as keep their own systems compliant.
Whilst I express my own views I found the following links and information valuable while having this quick gander – so thanks and indeed, due credit to those..
Useful insights and guidance webinars in a video, from Danny McShane of Tellemachus which includes a look at some great technologies to help with GDPR compliance:
GDPR – The facts you really need to know
Creating a Data Loss Response Plan with Garry Hibberd from Agenci
Data Location & Classification with Joe Peden of Sprion
Data Loss Prevention with Stuart Cook of Digital Guardian
Auditing with Amrit Toor of Forcepoint (Websense Rathion & Stonesoft)
Chiara Rustici, an independent GDPR analyst, gives a memorable breakdown of the key data protection principles and explains their impact on the wider context of the market for “white-label consented data” (data brokers), and audience segmentation and other predictive analytics (profiling) services. i like the term moving from ‘just in case’ data to ‘just in time data’..