Every Dutch person who does not live under a rock will know that we are dealing with new privacy legislation. If you are not involved with it within your own organization, then you must have received an e-mail or twenty from all the companies with which you have ever done business. They have changed their privacy agreement. But that's not all you have to adjust. Online recruitment does a lot with personal data: from an initial response to confirmation of the contract. In this blog you will learn how it works and you will get a clear step-by-step plan to make your online recruitment AVG compliant.
Core of the GDPR / AVG
Every citizen within the European Union and every company that does business with European consumers has, directly or indirectly, to do with this new European legislation. In Europe it is called the General Data Protection Regulation (GDPR), in the Netherlands is called General Promotion Data Protection (AVG). The GTC has an impact on the processing of all personal data of all European consumers: your name, address, (business) e-mail address, interests, compiled customer profiles, etc. It does not matter for what purposes that data was collected or where your company is located.
And not only large, listed companies must conform to the new guidelines; self-employed people and other small firms should also be aware of the impact that the AVG has on their daily activities. For example, how long can you keep your application letters? Or sent quotes? Working notes? You must be able to account for the processing of each piece of personal data; either by legal ground or by specific approval.
Four common AVG errors
- Still working on the AVG. The AVG has been live since 25 May 2016 but will only be enforced since 25 May 2018. Every company should be ready by now.
- Respond to continue receiving this newsletter. You can always email customers (to inform them about similar products or services) and people who have already given approval do not have to do that again. The only reason to send such an email is if you have not saved proof of approval.
- Complete this AVG form. The GTC is continued as a tax on the consumer, by giving them a form on which they fill in their personal data and must give explicit permission for the use of the data. But when personal data is needed to deliver a product or service (such as contact details, for example), there is already a legal ground.
- Everything or nothing. With AVG forms and cookies you are faced with the choice: agree to everything or stop using our website or service. According to the AVG, the website or service should be set up correctly with privacy as a starting point (“privacy by design"). It should not stand in the way of functioning. So cookie walls are allowed not, nor does it make mandatory personal data that are not required.
The AVG and online recruitment: checklist with 7 steps
The HR department of every company is a melting pot of personal data. Data is processed here for every employee and prospective employee. Especially during online recruitment processes, personal data is being pumped around an organization at a rapid pace. And they then remain for decades with people who, according to the AVG legislation, actually have no reason to do so. For example, you may no longer keep the personal data of a rejected candidate unsolicited.
How do you ensure that your online recruitment is AVG compliant? By going through the checklist below, with 7 steps to improve the privacy aspect of your online recruitment:
- Inform your entire organization about the AVG.
Yes, the AVG has a special impact on the HR department, but no, that department cannot do it alone. Everyone in your company, from the secretary to the director, will need to be aware of the new AVG rules. Internal e-mails, minutes, conversation notes; every document containing personal data is covered by the new privacy legislation. It starts with the awareness of all your employees that the GPR also applies to them and what they should take into account. Reading a blog like this or a special AVG download will not be enough: think of several knowledge sessions.
- Set up a DPO.
The AVG obliges larger companies to appoint a DPO (Data Protection Officer). That sounds very heavy and drastic, but in practice it can simply be someone who acts as a contact person on behalf of your company for questions regarding your data processing. In addition, if there is a data breach, the DPO is responsible for reporting this and an adequate approach to the problem.
- Perform a DPIA.
Another new abbreviation: a Data Protection Impact Assessment (DPIA). Such an investigation maps out which routes personal data travel in your company. That way you know who comes into contact with which data and whether that is necessary. You can also see which improvements you can make. In general, if employees appear to receive or process personal data that they do not need, you are probably not AVG compliant.
- Enrich your privacy statement with AVG.
The notorious privacy statement, of which you now have a beautiful collection in your mailbox. Your company also needs one. Name the DPO and explain what data you collect and for what purposes. Pay specific attention to your HR department and recruitment processes.
- HR on your website.
Can candidates apply online at your company? Then you will have to ask them for permission to, after the application process, be allowed to keep data from them. You may not just 'store' resumes in filing cabinets because you expect a great vacancy in a few weeks. You must also explain what exactly you do with their personal data: the department head who discusses your profile with people from the shop floor, for example.
- Check your safety.
It sounds logical, but all your HR-related data must be stored as securely as possible. That means: only access for those who also need access. You must also be able to safely delete your personal data; a way they really do away to be.
- Design processes for new rights.
With the AVG, (prospective) employees have acquired a number of new rights, such as the right to data portability: being able to request and have their own data removed. These are new processes, where you also have to verify the application. Is this the employee who is now requesting his personal data? These new processes must be set up and aligned with practice.
AVG stress? Just start
Does it all sound like impossible work? You are not the only one who experiences that. The most important thing is that you start 'just' and that you do that as an organization, not as separate IT, marketing or HR departments. Perhaps the most important tip to give is: record all the steps you take together and make sure that you have a clear plan at all times to make your organization as AVG compliant as possible.
You may have already been scared with the 'sky-high' fines (€ 20 million or 4% of worldwide turnover, depending on what is larger). No fines have yet been paid (not even to very large companies that are very fussy). The following also applies: being able to prove that you as an organization are working with it in a serious, reliable way is the most important thing at the moment. So also look at what you have already undertaken and record this in your organization.