Ready for the GDPR? Make sure your best asset doesn’t become a liability!

Ready for the GDPR? Make sure your best asset doesn’t become a liability!

By now we’ve all heard the panicked screams and collective gnashing of teeth that is the industry’s response to the GDPR. For many HR departments the date has seemed to sneak up on them despite their best efforts. Though they are still hastily drawing lines on the org chart between legal and HR they are still far from ready. The truth of the matter is that if you haven’t begun to action that ever growing GDPR to do list you won’t be ready when GDPR finally arrives. So what should you be considering as a matter of urgency?

1. Data, Data Everywhere!

As we are now so close to the deadline it’s advisable to take a risk based approach to GDPR starting with a data risk assessment. The assessment requires you to review the way you manage personal data across the business and identify any data protection, information security and privacy risks. This will prioritise your compliance and maximise privacy and effective use of data. It’s likely you’ll uncover all manner of horrors at this stage too; no it’s not ok that your desk drawer is full of old CV’s and that folder on your desktop labelled “Good ones to keep for later” might need some attention.  Risk assessments help organisations classify processing activities according to their risks to individuals thus putting compliance to the forefront and devising appropriate mitigations. Everyone who accesses and holds data is accountable and a potential risk. Old ways of working and “but we’ve always done it this way” is no longer an excuse.

2. Tools can help, but they aren’t a silver bullet:

Once you have done your risk assessment and have managed to wrestle decades old resumes from your recruiter’s vice like grip you might start to find that your current tools aren’t quite cutting it. All the good will in the world won’t help if you’re storing your data in a leaky bucket. Using a great tool whether it’s a CRM or an ATS is a great foundation for GDPR compliance but it’s important to remember that your responsibility to regulation doesn’t stop there.

Communications theorist and sociologist Everett Rogers argues that diffusion is the process by which an innovation is communicated over time among the participants in a social system.  His theory proposes that four main elements influence the spread of a new idea: the innovation itself, communication channels, time, and a social system. Whilst the GDPR will mandate change to compliance departments that want to make this change stick must ensure that these changes are also behavioural. For Rogers adoption across an organisation can be split into different rates;  categories of adopters are innovators, early adopters, early majority, late majority, and laggards. The GDPR must become part of corporate culture, organisations are both the aggregate of its individuals and its own system with a set of procedures and norms.  Adopting new behaviours where data and privacy are concerned is important for the whole organisation. Simply put, the deadline will arrive an organisations cannot afford to have late adopters or “laggards”.

By May 25th recruiters and human resources professionals that want to comply with the GDPR  will need everyone in the team to know the how and why of the new ways of collecting and processing data.  Further, those processes and expected behaviours will have to be written down as policy. It’s the responsibility of everyone in the organisation to take on board the regulations, live them as behaviours and embed them as culture.  When role models are consistent, everyone gets the message, and they align towards that expectation.

Tools that you choose to implement should augment the compliance culture that you’ve already built. The best tools will add efficiencies to your organisation’s processes and be flexible enough to support future compliance obligations. Remember even with the best prepared company with the best of breed tools can still be undone by a wayward user.  Better to prepare and embed changes now than wait until May 25th as a switch on date.

Changing to a modern GDPR compliant ATS is now relatively painless but making a cultural change can take a lot longer. With all of the necessary changes to take in and act on the time to act is now… and maybe time to sort through that desk drawer full of resumes…