Is the Staffing Industry Ready for GDPR?
With the imminent requirement for companies to ensure full compliance with the General Data Protection Regulation (goes into effect May 2018) it is pertinent for companies in the staffing world to review their existing policies and create new ones where needed to meet the regulations set by the GDPR. It doesn’t matter where in the world your company is based, it only matters whether the company is storing, or will ever store, information on a person that resides in the European Union. In fact, the GDPR will act as a guideline for every country in the future in terms of data protection compliance, so it is only smart to get ahead of the changes needed and enact them for all data held. Doing this ensures a company will know that they are compliant with any data protection regulations that are required now or in the near future.
Implications of the GDPR on Staffing Agencies
Even though all companies will be required to follow the GDPR, there are some where this requirement will be even more pressing, such as in agencies that deal with staffing. Whenever a person is hired by an alternative company there is the onward transfer of data on the individual employee to the new company. An agreement needs to be in place between companies about the protection and retention of data prior to it being sent. This is important for all companies, whether they deal with employees on an international landscape or even if all transactions are within national borders.
A company that has a worker’s data and has a business need arise to share that data with another company, the original company has an onus of responsibility to make sure that the employee data being shared is done in line with the GDPR. This means you are responsible for data sent to an outside vendor, and you can be penalized for their mishandling of it. Onward transfer agreements are typical for companies who need to share private or personal data, which makes the receiving company liable for the safekeeping of the personal data in the same way that the original company was. Onward transfer agreements are typically used any time a national border is transcended, so that the receiving company is held to the same level of data protection that the supplying company is.
It can be very difficult to know whether a breach of worker's data happened. If information your company sent to a third-party were to be breached, there isn't any outside regulatory agency that is responsible for reporting this breach. There is no international agency to which breaches of data by third-parties are automatically reported, and it will often be the case that the first you hear about a breach of data is after the fact when it is too late to do anything about it. The only way to stay safe from a company’s perspective is to follow a strict application of data safety from the outset.
If a company shares someone’s private data with another company who then breaches the privacy of that data, ramifications could happen to the company sharing data. It is crucial for parties to understand that they must take all reasonable steps to maintain the safety of private data.
Simply using a staffing agency as an employer of record does not mean that you will be absolved of any wrongdoing when information that you shared in relation to a private individual is not taken care of responsibly.
If a breach of data does occur, and the worker lives in the European Union, no matter where in the world the breach occurs, the company who had the breach must report to authorities about the data breach within 72 hours of the occurrence of the breach itself.
Data Protection Officers
Given the importance of the GDPR in the staffing world, it only makes sense to have a specific person in each company responsible for the safekeeping of all person’s private data that is held by the company. In this sense a data protection officer is required by some companies and is a good measure for all companies to take; the DPO can act as a single point of information on the topic and will act to keep the company in compliance with the GDPR at all times.
The different aspects of the GDPR which all staffing agencies need to stay aware of include:
- The requirement to keep all data in a consistent format and to share all data held on an individual with that individual should the company be asked to do so.
- Consent has to be confirmed before any data is held on any individual residing in the EU, so prior to creating an account for the person the company needs to confirm that they do hold the required consent.
- There will be a requirement to prove that the data is being stored safely, so the company will have to ensure that someone knows how to prove that whenever requested. (This is another reason why it is such a good idea to appoint a data protection officer).
- Persons whose information is being stored also have the ability to request that the information is deleted, so it is important for companies to have a specific process for deletion of private information.
Ensuring Compliance with the GDPR
In order to go about making the company wholly GDPR compliant it will be vitally important to ensure that a full assessment of the company is undertaken to bring to light any area of noncompliance that needs to be changed. On top of this, making sure that all areas of the company that are impacted have been flagged for a thorough review. Common areas this effects would include human resources, payroll, marketing and recruiting.
Identify the process of how information flows through the company; this would include the receipt of an applicant’s resume within the process of onboarding, all the way through to sharing their information with third-party companies. Ensure that all third-parties you might share worker's data with are all GDPR compliant prior to sharing any more information with them. Create a checklist for use internally which all employees will follow relating to the retention of data. Make sure that procedures are being followed ongoing by constantly monitoring for proper data retention. This will be vital in terms of ongoing compliance and will make the difference in the long run.
Making sure that your company is on track to comply with the GDPR is a necessity for all companies that have the need to retain a person’s data who resides in the European Union. Due to the digital landscape of contemporary business, it will not come as a surprise in the future that further jurisdictions will require similar protection for their citizen’s private data. Once a company complies with the many requirements of the GDPR they can ensure that they are in line with regulations on an international level. Appointing one person in the company to be responsible for the ongoing compliance is something that is not only required in some cases but recommended for all.