Without being hyperbolic, in today’s world data is more valuable than gold.
During an era where analytics and AI-led automation has become mainstream for most major corporations, even smaller companies have shifted focused to an essential ingredient that’s driving sales – data.
Simply put, if you have personal data (who doesn’t?) — you’re a commodity, and contributing to the treasure trove that businesses are capitalizing off worldwide.
On May 25, 2018, the General Data Protection Regulation (GDPR) ushered in a new era in the protection of personal data in the EU, while using pretty substantial fines as ramifications. The GDPR is a data privacy and handling law that applies to companies and organization across the world who deal with the personal data of any EU citizen, aimed at securing and protecting their data.
The law applies to the procession of personal data, defined as “any information related to a natural person, that can be used directly or indirectly to identify a person.”
The EU followed Canada’s lead as the Canadian Anti-Spam Law (CASL) went into effect in July of 2014. The CASL is a federal law that protects consumers and companies from the misuse of digital technology, including spam and other “electronic threats,” as per the Canadian Government. Canada’s Law is meant to protect its citizens while ensuring that businesses can continue to compete in the global marketplace.
Canada’s legal definition of electronic threats includes:
- Unauthorized alteration of transmission data
- The installation of computer programs without consent
- False/misleading electronic representations (including websites)
- The harvesting of addresses (collecting and/or using email/electronic addresses without permission)
- The collection of personal information
Non-compliance with Canada’s and the EU’s data protection laws can be very costly. Canadian fines range from $1 million in administrative monetary penalties (AMP) for individuals and up to $10 million for businesses. Breaching the GDPR ranges from €10 million for lower levels and €20 million in higher level cases (4% of the company’s global revenue — whichever is bigger).
ResearchFDI itself went through the rigorous processes to become GDPR & CASL compliant and have assisted our clients in following the same pursuit.
Data protection vs. business recruitment
Under the data protection laws, recruiters and employers have legal responsibilities regarding how they handle people’s information. Here are a few key factors of GDPR that affects the daily work of recruiters and hiring teams:
- Consent: As part of its transparency directive, the GDPR for example, mandates to obtain clear, concise, intelligible, and explicit approval from the candidate before any information can be stored or analyzed. The candidate must be made aware of their options and rights as recruiters could become privy to personal details rather than professional. The candidate must also be provided with clear instruction on how to withdraw their consent, should they wish to.
- Legitimate interest/need: The GDPR obliges employers and recruiters to collect data for “specified, explicit and legitimate purposes” only. Companies can source candidate’s data so long as it’s for job-related information only and candidates are sourced within 30 days.
- Transparency and access: Companies must have clear privacy police and recruiters are obliged to make said policies available to candidates. It must also be disclosed as to where the candidate’s data is stored and that the data is being used exclusively for recruitment purposes.
- Accountability: Companies need to be able to demonstrate compliance with data protection laws. Under the GDPR, companies are responsible for who it does business with and if its contractors fail to comply with the law, the company is held accountable as well.
- Candidate rights: Candidates have the right to be forgotten. They can ask corporations to delete and stop processing their personal data. Companies have to locate every place that the information is held and delete it within 30 days after receiving a candidate’s request to clear.
How employers and recruiters can comply with data protection laws
In the new world, data is a very valuable currency.
Whereas data protection laws create challenges for business recruiters, it also creates opportunity. Companies who show the value in individual’s privacy can build a deeper relationship with clients, retain more loyal customers, and build public trust (beyond solely being legally compliant).
Obviously, while it may take a significant investment of time and tech to get done right, it’s a new-age checkmark that affects the way business are run.
We’re going to highlight some hiring-specific changes that businesses need to know in order to comply with data protection laws.
- Map recruiting data: Map where all of the personal data in a company comes from, who can access it, and if there are any risks to the data.
- Determine what’s to be kept: Companies shouldn’t keep more information than what is necessary.
- Secure data breaches: Companies should implement safeguards to help contain any data breaches. The ability to react quickly to a potential data breach is vital.
Actively conducting international outreach?
Reach out to a ResearchFDI team member to learn more about how your organization can become compliant with both GDPR and CASL law, or simply email us at firstname.lastname@example.org to book a free consultation.