Gathered around a sumptuous breakfast at Shoreditch House, Impact-ees Tom Wachnicki and Chris Beamish were delighted to host a group of 14 HR professionals, supported by a GDPR Practitioner Kieron Tarling, to hold an open discussion on the new European General Data Protection Regulations (https://gdpr-info.eu/) due to come into force on May 25th this year.
GDPR can be highly ambiguous and decisions towards becoming compliant for one company can be different to another, even in the same field of business. By focusing on the immediate needs HR teams need to address we collectively brainstormed solutions and shared ideas to address this important challenge.
“Recruitment – how long we can save CV’s for and what is the process for elimination?”
The GDPR regulations do not stipulate how long you can/cannot keep a subject’s data so the real onus on your company (The Data Controller) is to evaluate what is best for both the company and the Data Subject, a balance test.
An in-house recruitment/HR team may not have similar positions likely to become available within a reasonable time frame and as such would have a much shorter retention policy period of say three months, equivalent to the probation period of the position being filled, just in case the original chosen candidate does not work out.
The simple guidance to this question is to understand that GDPR is saying don’t collect more data than you actually need and don’t keep it any longer than it’s useable. As soon as it’s not needed, delete it. Clearly set out your reasons and rational for your policies and procedures and all should be fine
“Clarifying what consent is and how business can utilise this in the best possible way?”
Yet another “big subject” in GDPR is the matter of consent. To process personal data a Data Controller needs to establish what “Lawful Process” they will apply to each data processing stream. There are six types presented in Article 6 (https://gdpr-info.eu/art-6-gdpr/) of the GDPR of which three are most likely (but not always) to be appropriate; Performance of a contract, Legitimate Interest and Consent.
It was an extremely engaging breakfast with everyone taking a number of action points away for further discussion back at their respective bases.
Other key points which were discussed and taken away from the session were:
Making sure that organisations had a path and were on the way to being compliant by 25th May even if they might not be able to action everything by the deadline.
- Training – Making GDPR “fun” as well as educational by including “gamified” surveys for example to test employees knowledge and better improve their ways of working when using data on a daily basis.
- Using posters and other visual aids that can be incorporated into general day to day working to engender a culture of data responsibility and awareness.
In conclusion, GDPR is complex but it does not need to be complicated. Take it step by step and make sure you justify and document every process. Look at it from the eyes of the Data Subject, remember you are one yourself. GDPR does not say you can’t process personal data if your Data Processing is justified!
Testimonials:
“The event was really informative and valuable for both Allie and myself. Being a start up and also one that’s new to the London market it was great to hear from a GDPR expert about what we’ll need to do and processes we’ll need to put in place to ensure we are ready and compliant come the 25th or May. It was also great to hear from other businesses in creative industries as to their ideas about GDPR and what they have done and will do to get themselves ready.” Nick O Sullivan (Talent Manager)- Splend
“I really found the event informative, and of all the GDPR talks we’ve been to so far, this has been the best! The GDPR practitioner had such an un-intimidating approach and spoke to us in a language we could understand which has been something we’ve been struggling with. As awful as GDPR is he really helped with our understanding. And it was a lovely group too – very open and honest.” Lisa Dyson (HR Advisor) – BBH
“Congrats on the roundtable, it was definitely one of the best one of these types of events I’ve attended. Great venue, really knowledgeable host who was able to make what is quite complex and somewhat unknown subject matter really digestible, and a nice group of attendees!” Brad Richards (Head of Talent Acquisition) – Badoo
“A great introduction to GDPR which made it a lot easier to understand, and was very informative. There were clearly highly levels of engagement demonstrated by attendees as it generated a lot of discussion.
We were able to not only learn practical tips from the practitioner, but also from each other and it has really helped outline new processes we will need to implement going forward. Overall I came away feeling a lot more positive about GDPR.” Rosanna Redshaw (HR Manager) – James Grant Group
“I really enjoyed the opportunity to speak to peers in an informal setting both about GDPR and general topics in HR. It is often not easy to get the opportunity to meet senior HR people and share ideas and challenges in an open and honest way and I thought the event was pitched perfectly to facilitate that. GDPR is a huge challenge for all of us and it is nice to know that we are all experiencing the same issues in the practical application. I thought the speaker was very practical and provided great advice on how to navigate our way through the ambiguity of the legislation.” Jennifer Buckley (Chief HR Officer) – Smart Focus