Back to Blog 5 Ways to Educate Your Recruiters on the Importance of Data Protection by Andy Ingham on April 2nd, 2018 It’s no secret that when the General Data Protection Regulation (GDPR) comes into effect on 25th May, recruitment agencies will have to comply with strict new rules on how data is gathered and stored or they could face serious consequences. By now you’ll know that under GDPR, candidates will have to give explicit consent, or recruiters will have to demonstrate a legitimate interest, for their personal data to be collected and used. Candidates can object to the processing of their data for profiling purposes, and they can request you delete their data at any point. The penalties for failing to comply are steep and enforceable by the Information Commissioner’s Office (ICO). Plus, reputational damage could ensue for failing to comply. As part of the efforts you undertake to prepare your agency to be GDPR-compliant, it’s crucial to educate every single member of your agency’s staff and ensure they understand the legislation, their role in properly handling data to ensure your agency’s compliance, and how to be alert to any actions that could jeopardise your agency’s compliance. With so much at stake, how can you ensure all your employees take their responsibilities under GDPR seriously? Here are 5 ways to consider educating your staff: Lead from the top down. In an age of digital business, technology and data are boardroom-level concerns for all businesses. CEOs must be on top of issues pertaining to data protection and cybersecurity, and those at leadership levels within your agency must lead by example. Is the message about GDPR compliance being communicated effectively across the business? Do your employees know what GDPR is and what’s expected of them in regards to it? Are senior staff leading by example? Train your employees on the basics of GDPR (what it is, why it matters, how it impacts them, and what your agency is doing to maintain compliance). Ensure your leaders are visibly demonstrating why it’s important all employees take GDPR compliance seriously and have them model the behaviours you wish to see your staff embrace. Implement (and regularly update) a data protection policy and ask employees to complete an internal certification. Develop a clear, concise, comprehensive policy outlining processes and procedures for data handling that all staff must follow. Then, consider creating an internal agency certification course that educates employees on exactly what their individual responsibilities are in order to maintain GDPR compliance and require all employees to complete the certification. (It’s not an official certification, simply one you put in place in your agency to ensure all staff have understood their roles and responsibilities, and have acknowledged their understanding of them). Think of how you might design an internal sales certification, for example, and model it after that. Include modules that cover key dos and don’ts your employees must be aware of regarding how to handle sensitive information, password security, client and candidate rights, and all of the other areas in which you must ensure their compliance per the ICO’s guidance. Be sure to include a module that shows all employees how to raise the alarm if they suspect a breach and let them know who’s responsible for responding to it once it’s been identified. Review the policy as part of your new employee onboarding process, and use it as a reference point any time someone has a query about handling data. Build in data protection mindfulness at every stage of business. Rather than data protection being a mere afterthought, the ICO advises taking a “privacy by design” approach whereby it’s ingrained in the culture and processes of the organisation. The ultimate aim is to have every member of staff being consistently mindful of how they’re handling the data that’s integral to their role. You can hardwire this by including a data protection element in job descriptions, employee contracts, and performance appraisals so it becomes an intrinsic part of employee performance. You can also set a regular cadence of communication where you reinforce key ideas and practices as it relates to your agency’s GDPR-compliance, and keep the staff up to date on how your organisation is doing in terms of compliance. Manage access. While hacking is often presumed to be the biggest threat to data security, agencies are perhaps more frequently vulnerable to data breaches that arise from recruiters being careless. Using unencrypted files, sharing passwords, taking secure paperwork out of the office, not shredding confidential documents, and leaving papers unsecured are major risks for data breaches. Educate employees on the dangers of these practices and show them a more secure, compliant way to get their work done. It’s also essential to have controls in place to ensure that data can only be accessed by those who need it: having it freely available to everyone, regardless of whether they have legitimate use for it, will not be acceptable under GDPR. Password protection of such data is an absolute minimum requirement and agencies should seriously consider incorporating further authentication stages before the most confidential data can be accessed. The permission levels allocated to each employee should be tracked on an ongoing basis so that nobody has any privileges that they don’t need. Equally, access should be immediately revoked and passwords changed when employees leave the company. Provide thorough and regular training. The introduction of GDPR is a reason to begin regular staff training on data protection and issues related to cybersecurity. This will ensure your agency keeps compliance at the forefront of your employees’ minds. Regularly host trainings covering data protection and security practices, and keep records of the training so that absent colleagues or new starters don’t miss out on crucial information that could potentially jeopardise the security of your agency’s data. GDPR isn’t a passing fad and it’s not something you can embrace with enthusiasm only to lose interest later. It must be given ongoing, mindful attention by all members of your recruitment agency’s staff to ensure you remain GDPR-compliant. For specific details on what you’ll need to do to ensure your recruitment agency is GDPR-compliant, refer to the ICO’s guidelines at www.ico.org.uk. Want to learn more about how GDPR will affect your agency? Visit the GDPR Resource Centre for insightful articles, webinar recordings, and more.