Demystifying GDPR using data
In the lead up to GDPR—and in the months that followed—we talked to a lot of our customers about ways to achieve compliance. And we’re still talking!
Based on these conversations, many have chosen to implement Workable’s GDPR Feature Pack to help automate the process. As well as promoting compliance, automating the process through recruiting software like Workable has produced a lot of interesting data.
Analyzing this data made us wonder. GDPR has changed the way we think about data. Is it possible that data could also change the way we think about GDPR? Could it, perhaps, be used for demystifying GDPR and kickstarting some industry benchmarking around some grayer areas—data retention, for example?
In a post-GDPR world, sharing (secure and anonymized) data like this can be a good way of navigating the new normal. So we’ve pulled together a bunch of our top level findings here, to start the ball rolling.
A new era of uncertainty
The only thing anybody’s really been certain of since GDPR went live on May 25th, 2018, is that no one’s really certain about anything.
How long can we keep people’s data for? Not sure, up to you. Decide what’s best, but don’t be unreasonable.
What do we do with our existing candidate database? Not sure, up to you. Decide what’s best, but you should probably delete it.
How do we ask candidates for consent? Not sure, up to you. Decide what’s best, but don’t do anything funky with their data.
How will this fundamentally change how we recruit? Not sure, up to you. Decide what’s best for you. And definitely review with legal counsel.
As a global company, we have to take GDPR seriously. We’ve always been secure. But, in preparation for GDPR legislation, it became more important for us to be able to show customers that we’re a robustly secure organization, dedicated to data protection. Which is why, in the past year, we’ve doubled the size of our compliance and security team, undertaken an arduous ISO 27001 certification process, and consulted countless legal experts. Not to mention built a new set of automatic compliance features for our customers from scratch. And we’ve also, quite literally, written the GDPR checklist for recruiting.
In the course of this all, we found ourselves asking obscure questions about legitimate interest and case law. HR Managers began acting as intermediaries between Compliance Officers, legal counsel and employees—responsible for implementing and enforcing compliance in the face of crippling fines. And, while GDPR legislators sought to provide guidance where possible and legal experts suggested some best practices, there were still many GDPR myths and gray areas. There was very little (dare I say) data to go on. Until now.
Establishing an industry benchmark for data retention
Leading up to GDPR, most of the customers we spoke to were (understandably) reluctant to delete the data they had. They were afraid of erasing years of hard work and losing good candidates to compliance.
Post-GDPR, we’ve found customers have confronted the dreaded database delete head-on; generally setting a data retention period of just under 2 years. This varies somewhat by region. Customers in the UK tend to be a bit more conservative (20 months), compared to their counterparts in the United States (26 months). But, generally speaking, 2 years has emerged as a good benchmark for data retention.
A measure of candidate interest
Only 3% of notified candidates have exercised their right to be forgotten
GDPR gives candidates more power over their own information, and we’ve certainly seen that reflected in the data as well. Over 31% of customers have had at least one candidate delete their data via the application confirmation email—a number that will unquestionably grow over time.
We’re at the very beginning of a radical shift, that much at least seems clear. The data we’ve seen so far leads me to believe that GDPR will actually help us hire better. Candidates have more control over their data–and ultimately that’s a good thing. GDPR has also forced us to make tough decisions about the data we should have access to and how long we should have access to it. And, ultimately that’s probably a good thing, too.