Interviewing our GDPR steering group
The GDPR is now less than one month away, and the Hireserve office has been a hive of activity preparing for the new legislation – from our HR and Marketing departments, through to our Services and Development teams.
Preparations have spanned from updating Hireserve employee contracts, to delivering enhancements in the ATS and updating our marketing communications.
We caught up with four members of our GDPR steering group to explore what key roles each member has played, and hopefully inspire the same collaboration across other organisations.
Our road to GDPR compliance started over a year ago, and is still ongoing. What has the journey been like over the last year, from our initial awareness of the GDPR through to the final preparations currently underway?
Emma (Head of Marketing): There has been a lot of hard work internally, reviewing ICO guidance and professional advice from industry bodies. We have created a cross-functional GDPR steering group, which has been hugely beneficial to the entire business, and made sure the GDPR has been high on the agenda for the last 18 months.
Hannah (Marketing Manager): It’s been a learning curve, and some days I’m not sure what we did before GDPR! But it can only be a positive opportunity for us to review the way we collect and store data. In our digital world, it’s become so easy for organisations to source personal data that the scope for misuse is pretty wide – so the changes the GDPR is introducing are very timely and needed to bring some businesses back into line.
Simon (Technical Product Manager): We’ve tried to absorb as much as we can of the industry-wide (and cross-industry) discourse on the new regulations and their ramifications, in addition to absorbing the wording and minutiae of the regulations themselves.
How did we ensure Hireserve ATS supported customers in compliance?
Simon: All of that research and information allowed us to define what an ideal, deliverable and customisable solution would look like. With this in mind, we could then start work on enhancements to our own product.
Once we’d outlined what the ideal solution to the GDPR would look like, we then started discussions with our customers to understand their differing interpretations and approaches, and evolved a solution that will ensure they meet their responsibilities as data controllers.
Emma: With product development, we always strive to create the best-in-class, most agile and adaptable functionality for our customers. The GDPR has been no different.
Our goal is to ensure it exceeds our customers’ expectations and to make sure they will easily meet their legal obligations.
But of course, there were challenges along the way. What kind of challenges did Hireserve face on the road to compliance?
Beverly (Head of People): Internally, the initial challenge was time. Everyone is so busy with their core responsibilities, so taking on additional tasks has proved to be a balancing act, but one that everyone has enthusiastically addressed.
GDPR compliance is a double-sided coin. The Hireserve team not only have an obligation to meet the GDPR requirements in their day-to-day roles, but their own personal data is also affected by the new data protection rights. This meant it was easier for them to understand why we need to change things internally.
Hannah: From a marketing perspective, there have been two key challenges. The first was reviewing the data we hold for Marketing and Communication purposes and ensuring that we follow the right processes to store and collect it lawfully, fairly and securely. This has taken a lot of time and we have really had to make sure we understand all aspects of the new legislation to make sure we are making the right changes to our processes.
The second was communicating changes in the way we process data, and our approach to GDPR, to the people we speak to. Making these communications accessible has been an interesting challenge, as it’s a hefty piece of legislation!
What advice would you give to other organisations preparing for the final month before the GDPR lands?
Beverly: There’s no need to panic. Remember that businesses need to show a responsible attitude to the management of personal data and, importantly, keep in mind that the GDPR is building upon data protection processes that organisations will already have in place.
If you haven’t started preparing yet, don’t worry. Make a plan, prioritise your actions, share responsibilities and work to it. You’ll be surprised at how much you can accomplish! You can also find more information on what to do next on our website.
Hannah: I think it’s really important for organisations to ensure members of their Marketing and Communications team have a strong understanding of the GDPR, as that knowledge has to underpin every communication and action the team takes. This internal education itself can be a challenge!
And as Bev mentioned, it’s important for organisations not to panic. The 25th May is a deadline to work towards, but our understanding is that the ICO is not going to swoop down on the 26th May and start handing out huge penalties.
What organisations do need to do is demonstrate intent that they are trying to work towards better, fairer and more sustainable processes, even if they are not fully there yet.
What happens next?
Hannah: Any changes or improvements to process made in advance of the GDPR have to be maintained after the legislation. It should be best practice – organisations must keep ensuring that their data processing remains lawful, secure and fair.
Before asking for information, everyone should consider the question, ‘What is the exchange of value here?’ Ask, ‘Is it fair for me to process this data – have I weighed up the business benefits against the data subject’s?’ Organisations should be regularly reviewing their data processes, ensuring their data protection and information security measures remain in place and should be mindful of their data retention periods.
Once the new legislation comes into play, data subjects will have widened rights, and organisations may find there is an increase in data subject requests – so they’ll need to make sure they have robust subject access request policies.
Beverly: Once all policies, processes and practices are in place, HR cannot sit back and think, ‘job done’! GDPR obligations are here to stay and organisations need to be prepared to monitor, review and (where appropriate) update practice and procedure to maintain their GDPR compliance.
So, are we ready?
Beverly: Just about! The team fully understands the need for the company to meet its new obligations.
Emma: The last 18 months have been a steep learning curve, but I believe we have created really strong foundations with our internal processes, customer communications and product functionality. I feel really proud of what we have achieved across the business.
Thank you everyone.
We hope these insights will give hope to other organisations – even SMEs – that with cross-collaboration, a shared understanding of the importance of the new legislation and a desire to implement strong data processes, being well-prepared for 25th May is well within reach.
Find out more
Created your GDPR checklist? We’ve started one for you…
Discover more about the Hireserve team
Explore our GDPR Hub for further information