Companies Risk ‘Hefty Fines’ By Failing To Destroy CVs
Talent managers and HR officers are putting their employers in danger of facing penalties of as much as £17.5 million if they fail to destroy job applicant CVs, as they can contain sensitive information that falls under imminent data protection regulations.
HR News reports that next month’s General Data Protection Regulation (GDPR), which will activate on May 25th, applies to all businesses that process the personal information of citizens of the European Union.
HR managers are especially at risk of flouting these laws by failing to systematically send all CVs kept ‘on file for future reference’ for sensitive data shredding as the documentation associated with applying for positions tends to reveal sensitive information about the candidate.
CVs and job applications tend to reveal individuals’ home addresses, their national insurance details, middle names and even confidential information concerning their physical or mental health, and even whether they have a criminal record.
Under the new GDPR laws, job candidates have six rights, starting with right of access which means the individual in question can request to be informed about what the holder of their data intends to do with it.
Individuals under GDPR also have the right to rectification, which means they can amend or update any data held about themselves on file, as well as the right to erasure, meaning they can have their data expunged from a database at any time they wish.
Job applicants also have the right to request their data is suspended from processing it into a database - also known as a right to restriction of processing - as well as the right to export all their data from the holder’s system.
Finally, candidates have the right to object to their data being processed indefinitely. In other words, ‘we’ll keep your details on file for future positions’ will become a thing of the past.
HR officers need to protect their employers from serious data breaches and fines by destroying these documents, as organisations found to be in breach of GDPR - which includes not having a person’s consent to process their data - can be fined £17.5 million or four per cent of their annual turnover, depending on which figure is greater.
There are some steps HR departments can take to ensure their operations are watertight when squaring up to GDPR.
Personnel Today recommends starting with a thorough data audit, including a review of the incumbent HR data processing systems, allowing the department to find any chinks in the chain in good time.
HR departments should review and update their existing privacy notices to comply with GDPR in an easy-to-understand way, while it is recommended the team develops a data breach response protocol to ensure prompt notification, with allocated officers in charge of investigating, containing and reporting a breach.
Finally, HR departments should be able to determine whether or not a dedicated data protection officer needs to be appointed if their organisation handles enough data to warrant it, to avoid overloading the department. The individual must be recruited and trained especially, which may need to take place outside of usual training systems.
If you want to find out more about our confidential data shredding service, contact us today!