So, the recruitment world has definitely woken up to the fact that GDPR is coming. But amongst all the discussion and debate, little has been said about the biggest obstacle that businesses will be presented with in the lead up to GDPR: that is, how to embed the culture of professionalism that the regulations require into your business.
And if I have to read one more article on how a technology product is instantly going to make you “GDPR compliant” I am going to scream! Don’t get me wrong – as a tech vendor, it’s our job to help recruiters ‘tick the GDPR boxes’ and demonstrate an intention towards GDPR compliance. But full compliance at this stage, when the regulations are yet even to be finalised, is impossible.
More importantly, the biggest challenge that all recruitment agencies will have to face with GDPR is not a systematic one, but a cultural one. As we said in our GDPR eBook back in September 2017…
“The biggest obstacle you’ll be presented with as an agency owner is how to embed the culture of professionalism that GDPR requires into your business. GDPR isn’t just a process, and it isn’t just a matter of ticking off a requirement checklist then carrying on, business as usual. The regulations are demanding on a more cultural level.”
Every member of your team is internally responsible for how they personally gather, process and use your candidate data – it’s not just something for your DPO to worry about. Just one slip-up from any member of your team could seriously cost you and your business, so it’s crucial that everyone understands what they’re accountable for.
So take a minute (or five) to identify the changes that will need to be made internally to your business before May, and consider some of the softer cultural steps that you can begin rolling out within your team(s).
5 steps towards a GDPR-friendly company culture
- Review your internal HR policies
Your internal policy documents that cover how you handle a candidate’s personal data will need to be updated in light of GDPR. These documents should provide your recruiters with guidance on your policy regarding things like printing out CVs, handling candidate documents outside of the office, or updating a candidate record information (with the risk of that information being inaccurate or outdated).
This might sound simple, but these are all areas left wide open to potential human error that could have hefty consequences for your business. For example, a pile of CVs left in a Starbucks after an interview, or a candidate asking to export their full record and finding some dubious notes on their file - these are all situations that could put the business at the greatest risk. So as a business owner, you need to provide all your staff with clear guidelines on what is considered company policy in these kinds of situations, and most importantly – hold proof that you’ve provided staff with these guidelines.
- (Re)Train staff
The saying might go, “you can take the horse to water but you can’t make it drink” but in this case you need to make sure they drink the water as 4% of your turnover could be on the line here!
You’ll need to support your staff through the big changes that are on the horizon, and put emphasis on your company’s policies when it comes to those areas that GDPR is affecting. Remember that change can be scary for some people, so guiding them through this is your job as a leader. This is also a good opportunity to add in some structure to your business by having all your processes in writing, as you can then continually review and improve on those processes whilst ensuring that all your staff are on the same page.
And don’t just see your training sessions as a matter of ticking off another box to show your good intentions – make sure your sessions are valuable to your team. For example, at the end of your training sessions, does your team know how to deal with a request to be removed or forgotten? Do they know what could constitute as a data breach and what they should do about it?
Read: How Will GDPR Affect Recruitment Marketing?
- Hold proof of training
After you’ve been through the training and notified your employees that you’ve updated your company policy documents to reflect any changes, it’s a good idea to hold proof that you have done this! Once you've issued your policy document, either have your team sign a document to confirm they’ve read it, or better still – use an online HR system that tracks when an employee has opened and read each document automatically.
We use software called BreatheHR internally, and find it does this job really well. When you update any policy documents, the system sends out an internal email notifying everyone that the document needs to be read before a certain date. This will prove that as business owner you’ve done your best to ensure your employees understand their responsibility, the company’s procedures and that they’ve agreed to follow these guidelines and policies.
- Document your processes
You’ll need to have an official process clear and in writing for how your company deals with things like registering new candidates, keeping them engaged, ensuring they understand their new candidate rights, what constitutes a data breach and what the process looks like in the rare case that one occurs at your company.
If you have a clear process in writing for how you handle these areas, this is a great step towards being GDPR-ready, and these documents can also be used to supplement induction training for new starts at your company. However, you will also need to ensure you embed the correct behaviour by helping new starts establish what these GDPR-friendly procedures look like in practice from day one and not influenced by any bad habits that the more established recruiters may find harder to let go of!
Looking for more guidance on how to prepare your recruitment agency for GDPR? We have you covered.
- Review your procedures
GDPR roll-out is the perfect opportunity to take time to review, and in some cases reassess, some of your procedures. Are you focussing on targeting the right candidates over spraying and praying? Are you taking steps to support and refocus any recruiters on your team who are running around like headless chickens, too busy to stop for breath? Make time to asses what’s working for your business and what’s not, then you can work any changes into your GDPR strategy to make it scalable.
A great by-product of the GDPR is that it will (or should!) transform the way your team thinks about data collection and data processing, and this will create a genuine culture of professionalism where your recruiters take pride in their engaged database and strong candidate networks.
The best recruitment teams will be agile enough to easily absorb the necessary GDPR changes into their processes, and use this time to align their team’s internal behaviours. Recruitment Systems will definitely be there to help, automate, prompt and enable your recruitment agency to eventually reach GDPR compliance, but recruitment managers will still need to invest time and effort into changing behaviours internally, prompting a greater cultural change to your business.