News of Google’s 50 million euro fine has rocked the business world, but as other multinationals panic, recruiters can rejoice in some of the unexpected benefits of the GDPR regulation.

On January 21st, 2019, The French Data Protection Authority announced from Paris it would be slapping Google with a 50 million euro fine or around 57 million dollars for not correctly disclosing to its users how their data would be collected and managed by its search engine and services such as Youtube, and google maps to present personalized advertisements.

As one regulator put it “Google’s practices obscured how its services can reveal important parts of their user’s private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations.”

This comes as the fourth and the largest fine brought against a company breaching the new General Data Protection Regulation (enacted in May 2018) and sends a message to the rest of the business world that no corporation is too big to avoid penalties. Google is determining whether to appeal the fine, but faces an uphill battle as history has shown through multiple billion dollar fines that the European Union does not favor the tech giant.

We, at SmartRecruiters, have been following the development of these measures since they were announced, bringing attention to the fact that many people didn’t know if their Applicant Tracking System (ATS) was up-to-date. (Evaluate your ATS here!) We also covered the Cambridge Analytica scandal, detailing how the business community is reacting to the changes that need to be made in order to stay GDPR compliant.

Now that we are in 2019 and the world has not imploded over these new regulations, Smartrecruiters has some new information that demonstrates that GDPR has actually had some positive effects, specifically in the world of recruiting. I know, crazy to think that bureaucracy had any benefits… but hear us out, and check out this infographic below describing them.

Based on this infographic we can see that one of the natural consequences of making the hiring process and data collection of applicants more transparent, are more engaged candidates. People have overwhelmingly responded to the request to consent option (83 percent) in less than a day, with less than one percent have deleted their profiles.

When candidates feel that a company is respecting their information they are more likely to interact with the hiring process. Companies have gotten in on the action as well and 79 percent of SmartRecruiters customers have included a company or country-specific privacy policy. 63 percent have also internally trained their staff to properly process their personal data which is significantly more when compared to the rest of the world where only 10 percent of companies have enacted the same measures.

These efforts by and large benefit recruiters as they do not need to worry if their company’s management of candidate data breach GDPR compliance and they have Candidates more willing to engage with the hiring process.

SmartRecruiters’ efforts have made our customers some of the most prepared for GDPR compliance and because of that, they are not sitting in the same hot water as Google or Facebook at this moment. If you would like to know more about SmartRecruiters’ resources  Check out our SmartRecruiters’ GDPR Resource Kit or FAQ page for answers to all the most common recruiting questions concerning data privacy.

Here’s what will define Talent Acquisition (TA) in the coming year, and how your team can win in the 365 days ahead.

2018 was defined by deep, recruiting-AI integrations, including the first AI native to an applicant tracking system (ATS) in the form of SmartRecruiters’ SmartAssistant, and a data security revolution heralded by the general data privacy regulations (GDPR) in Europe, as well as similar legislation around the world.

No story ever ended neatly at the stroke of midnight on December 31st. We will continue to see AI take root, and data security will remain top of mind. Yet, as a new year begins, one can’t help but look back at the last journey around the sun to identify the lessons that will prepare TA for the next 365 days.

To understand better the trends and challenges of 2019, we sat down with CEO and founder of SmartRecruiters, Jerome Ternynck, to learn how a new ‘marketing’ outlook shaped by a laser-focus on candidate experience, and a mastery of tech, will get TA into the boardroom this year.

Five Predictions for Talent Acquisition in 2019

3 min 26 sec video

1) Recruitment marketing or bust…

“Source candidates like an outbound marketer. End-to-end recruitment marketing, branding, and candidate relationship management systems (CRM) with consumer-class candidate experience throughout — Recruiters need to leverage the whole gamut by proactively sourcing, building talent pools, and nurturing relationships in order to compete for top talent in today’s candidate-driven market.”

2) Diversity and inclusion are ‘non-negotiables’…

“If you don’t have a strong D&I strategy (there are many ways for it to be simple but effective), you’re losing the long-term talent game.”

3) TA is boardroom-ready…

“We’ve always known that hiring success = business success, now it’s time to show the world. This is how we’re going to do it: Today’s leading TA Suites provide you with all the data and insights you need to drive hiring success and, by extension, business outcomes. A simple hiring success dashboard with net hiring score, velocity, and budget metrics is easy for a boardroom to grasp. It’s no longer about faster and cheaper — it’s all about the value created! We tried it, our customers adopted, and it works.”

4) Think ‘global’, act ‘local’…

“With more and more companies evolving towards distributed workforce models, often spanning across 3-5 offices/countries, your TA strategy needs to be global, yet your tools and processes need to be local. Think detailed configurability within an overarching collaborative platform as the staple ingredients for a successful recruiting strategy.”

5) Digital savvy is the ultimate differentiator…

“Tech, tech, and more tech. From AI and blockchain to chatbots and scheduling, it’s all happening online. These digital solutions have made it possible for recruiting to deliver results to the boardroom. Growth strategy will increasingly depend on tech stacks, and the partnership between vendors and customers will be key to driving business growth.

Necessity breeds invention, and that’s what we’ve seen with TA over the last decade. As the talent economy becomes more competitive, tech rises to the challenge to support recruiters and bring hiring to the next level.”

New state privacy laws mean doing business in California will come with new levels of compliance. To avoid complications – and hefty fines – follow this simple guide.

The first half of fiscal 2018 was festooned with the lead balloon of the General Data Privacy Regulations. An EU initiative years in the making, GDPR aimed to protect European citizens’ personal data online, and as any international company would include a European employee, customer, or contractor somewhere along the way, failure to comply with Brussels’ legislation would result in the kind of fines that could put your lights out for good.

Like the fidgety lead-up to Y2K, there were prognosticators and doomsayers, but aside from a few lawsuits aimed at big game trophies like Facebook or Google, GDPR’s implication date of May 25th passed mostly without incident.

Now, just when you thought it was safe to kick back and congratulate yourself on your glocal business being GDPR compliant, some yahoo in California’s gone and added another layer to this digital tiramisu.

The California Consumer Privacy Act (CCPA), a bill passed as AB-375, means that a business collecting, storing or selling any Californians’ personal information will have to fall in line to this new legislation. We’ve got until January 1st, 2020, to get this done.

As it was with GDPR, firms have some time to lawyer-up and get CCPA compliant to avoid fines currently set at $7500. This amount, as well as what the act will actually enforce could change between now and activation day, the underlying premise remains: Legislators “are concerned that misuse of personal data may have ‘devastating’ effects for individuals, including financial fraud, identity theft, unnecessary costs to personal time and finances, destruction of property, harassment, reputational damage, emotional stress, and even potential physical harm.”

Providing the kind of legal advice market innovators will need to assure compliance, international law firm Cooley has put together an FAQ on the subject, starting with who will need to get what straight in the next two years.

If you are a company with annual gross revenues over $25 million; if you obtain personal information from over 50,000 California residents, households or devices per year; or if selling any combination of this information accounts for more than 50 percent of your annual revenue; best pay attention and call Cooley.

Hey, my business isn’t based in California, this doesn’t apply to me.

Although there are grey areas state-by-state, if your business is online and you have even one customer from California, best to consider yourself as on the hook.

Ok then. Define customer.

California law would define customers as Individuals in the state for other than temporary or transitory purposes, and Individuals domiciled in the state who are outside the state for a temporary or transitory purpose. But since this definition is not limited to residents that buy goods and services, “consumers” would also include others, like, for example, an organization’s employees residing in California.

Fine. Now what does the CCPA define as “personal information”?

Well, a lot. There are the obvious things like your real name, postal address, IP address, email address, social security number, or driver’s license number. But it also encompasses commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies. And of course, your geolocation data. See a more comprehensive list in the Cooley FAQ.

But my company already went through GDPR and passed with flying colors.

Congratulations on that. Must have been no small feat. However, you will have to address the CCPA framework separately. Obtaining consent, for example, is a different process, and EU regulatory enforcement has, to date, been limited. In the US we expect more rigorous regulatory oversight. As such, to reduce clear and present risk, CCPA compliance will necessarily be more involved and precise. You’re not out of the woods yet.

And if one were to just ignore it?

Those found to be in violation would be subject to penalties pursuant to a civil action by the California attorney general, as set forth under Section 17206 of California’s Business and Professions Code. This provides for penalties up to $2,500 per violation, and a company found to have violated the CCPA intentionally would be liable for up to $7,500.  

So if I take care of all this now I’m good.

Given this law being passed so quickly, and the number of companies that would be affected already kicking up a fuss, the details will have to be monitored as January 2020 approaches. Stay tuned as we report new details as they come to light.

Just when GDPR was starting to feel manageable, California piles on by passing sweeping new online privacy law. Don’t worry, HR. SmartRecruiters got your back.

So, you’re a hiring manager at an international company sitting in Silicon Valley. You’ve been studiously, judiciously, taking your anti-anxiety medication through the run-up to and implementation of the European Union’s General Data Protection Regulations, making sure all the personal data you’ve stored complies with the directives from Brussels, and so far, your company hasn’t been fined. Post-May 25th tensions have dialed down and everyone on your team knows what needs to be done to protect the data of candidates, as well as past and current employees. This is good.

And then the California state legislature goes and unanimously passes AB-375, set to go live in January 2020, quoted in Fortune as “almost European-grade privacy rules”.

And if Europeans felt that the GDPR framework came from too high up with too little consultation, Californian Robert Callahan, vice-president of state government affairs for the Internet Association, feels about the same. “Data regulation policy is complex and impacts every sector of the economy, including the internet industry,” he said. “That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning.”

It’s still early days and future experts are just now boning up, but while we can expect the same kind of anxiety and speculation that occurred around GDPR, SmartRecruiters has made sure that no matter the size of your business, we provide global compliance features to keep you covered, as of, well, right now.  

That means even our smallest customers will be able to:

• Set a Privacy Policy (default or country-specific)
• Set a Data Retention Period (default or country-specific)
• Turn on GDPR Setting Automatic Deletion (default or country-specific)
• See what privacy advice is given based on country or countries of operation

More on this to follow as Big Tech hits back at the new law, and we investigate the ins and outs of what California companies will have to do to comply with yet another layer of data privacy protocol.

HR, is your ATS a partner in GDPR preparation? Or, are you, like many others in talent acquisition, left to figure out these new data regulations on your own?

We surveyed a group of TA leaders from across ATS providers and most GDPR-related questions leave HR shrugging its shoulders. “I don’t know” shouldn’t be the mantra for a huge piece of legislation that comes into effect May 25th, 2018—affecting all the EU member states, of course, but also anyone doing business with these countries—that means you, America!

View full-size PDF here.

GDPR is a principle-based piece of legislation, which means compliance has to be in your company’s DNA. There’s no one-size-fits-all solution. However, we have some essential information that will get you started. Check out our SmartRecruiters’ GDPR Resource Kit or FAQ page for answers to all the most common recruiting questions concerning data privacy.

Share this infographic on your site. Copy and paste the code below.

</p>
<p><strong><a href='https://www.smartrecruiters.com/blog/is-your-ats-ready-for-gdpr-70-say-no/?utm_source=referral&utm_medium=infographic&utm_campaign=gdpr'>Is Your ATS Ready for GDPR?</a> infographic provided by <a href='https://www.smartrecruiters.com/recruiting-software/?utm_source=referral&utm_medium=infographic&utm_campaign=gdpr'>SmartRecruiters Recruiting Software</a></strong>
</p>
<p>
<img src='https://cdn.smartrecruiters.com/blog/wp-content/uploads/2018/05/SmartRecruiters-GDPR-Infographic.jpg' alt='Is Your ATS Ready for GDPR?' border='0' style="width:724px; max-width:100%;" /></p>
<p>

We are mere days away from the European Union’s game-changing data privacy legislation. If you’re in Talent Acquisition, your first question is whether your ATS is a strength or a liability.

For citizens of the European Union, the General Data Protection Legislation (GDPR) will protect and enforce how their private data is used and stored online, anywhere in the world. In the wake of the Cambridge Analytica/Facebook scandal and growing malaise about online organizations monetizing user profiles, new rules from Brussels are, for once, largely welcome by netizens.

For companies that do business with the EU, or employ even one EU citizen of 500 million, becoming GDPR-compliant before May 25th has been everything from a mild headache, a few extra legal bills, to a complete overhaul of how customer/employee data is stored.

Whether in Europe or elsewhere, you may have noticed several changes to your favorite sites and platforms’ Terms and Conditions recently. Not that you went and checked. Everyone from Facebook to Twitter to LinkedIn has been emailing, and with various shades of marketing-speak, asking you politely and humbly to update your service agreements. And GDPR is the reason.

Talent Acquisition leaders, has your Applicant Tracking System done the same? If not, you could be in trouble. And with maximum penalties for non-compliance set at 4% of last year’s annual gross, or €20 million, whichever is higher, those who’ve ostriched themselves from the hassle could potentially face bankruptcy.

A whopping 70% of those surveyed said they weren’t ready for GDPR, and a lacking, lagging ATS is as big a part of the problem as human indifference.

HR and Recruiting are the great crossroads of GDPR. Our business is based on collecting and analyzing personal data, so we have to be extra-vigilant. Now that GDPR is real, SmartRecruiters (in GDPR terms, the Data Processor) wanted to see if everyone, or anyone, in the field had put in the same amount of work we have into being GDPR compliant. We surveyed a group of 30 TA professionals who use various ATS vendors, to see how clear they were on GDPR compliance and where they may have missed some details. The results were, well, not great.

But don’t freak out just yet. Let’s start with the basics. GDPR requires TA departments (the Data Controller) to store information on candidates (Data Subjects) with their consent. This could be a fix as easy as adding a second T&C button that gives you permission to store their data, which, by them wanting to send you their CV in the first place should be fine. GDPR just means you have to have their clear and unambiguous consent, and if they ever ask you to delete their data, you have to be able to prove you have. Easy enough, but 32% of respondents didn’t know if their ATS was capable of that, over 50% didn’t if, when, or how a candidate’s consent was obtained or stored. Ten percent were certain their ATS did none of this. Yikes. This is compliance 101, people. And given the reams of often ambiguous clauses in the regulation, relatively easy to patch.

If you’ve got your candidate-facing front-end covered, it’s time to look at who exactly has access to the data you store. Our respondents scored a little better here, with 90% of them aware of access limits to the data stored on their ATS. However, 20% said they kept no log of who in their organization had access to the personal data at what time, and that’s a GDPR no-no.

While 72% of surveyed confirmed their ATS kept logs of interview feedback and recruiting notes throughout the hiring process – if not satisfying the GDPR demand for “transparency”, at least proof of operating on good faith, which the more overarching of regulations value highly. They know better than anyone how hard full compliance will be. The big problem here is that 61% said they didn’t know whether the same data sets were transferred to third party vendors, like payroll or onboarding applications. That’s a problem. It’s precisely this kind of hole that regulators will consider a data breach – and under GDPR, reporting a data breach is mandatory.

If you’re wondering about the compliance capability of your ATS, ask yourself whether your ATS allows you to

• Set access authorization policies to limit access to candidate data?
• Support limited access rights for Works councils?*
• Log changes in access rights?
• Limit cross-border data transfers, e. g. between the US and Germany?
• Provide a process to map data transfers?

In regards to candidate data processing, does your ATS

• Keep a record of processing activities in place?
• Destroy, erase or anonymize candidate data when no longer legally required?
• Comply with regional data retention limits or specific legislation, if there should be any? Let candidates exercise the right to update their data by themselves?
• Fulfill right to be forgotten (RTBF) requests?
• Analyze all of the personal data you store and process to improve data governance? Map all processing activities in order to identify all processors incl. third parties (in EU and in third-party countries)?

For data security, can your ATS provide

• A written Data Processing Agreement (DPA)? Incident management policies?
• A data recovery policy?
• Secure data backups?
• Notifications to inform you and your candidates of data breaches?
• A Data Protection Officer registered within the EU to oversee security-related issues?

If your palms are starting to sweat a bit, your ATS provider should, legally, have all the answers you seek, and if they don’t, well, don’t fall prey to the sunk-cost fallacy. Get out asap and sign on with an ATS vendor that knows what they’re doing.

We’re pretty sure we can recommend someone to help you with that.

Write to us at SmartRecruiters for your free GDPR-compliance assessment.

*A Works council is a body of employees elected to represent their fellow employees. Works councils exist in many European countries, including United Kingdom, Germany, Austria, the Netherlands, France and Spain.

Just because there’s no one fix for GDPR compliance, that doesn’t mean there aren’t solid ways to keep from pulling a Zuckerberg-level cock-up.

Photo credit: Raphaël Labbé from Paris

This week, in London; it was a speech to disappoint anyone hoping to snag a secret recipe to comply with the fast-approaching General Data Protection Regulations, or GDPR – the European Union’s play to shield its citizens’ online information from precisely the kind of parasitic commercial pilfering brought to light by the ongoing Facebook/Cambridge Analytica scandal.

Unleash Conference, Main Stage; it was a frightening but opportune confluence, as Ardi Kolah, director of the GDPR global transition program at Henley Business School, explained to a large section of 500 Talent Acquisition professionals, that with breached-data threatening one of the most powerful players on the web, causing its once-bulletproof stocks to plummet, most organizations won’t be adequately protected when the new laws kick in on May 25th.

To understand this new legislation, “consider the bill’s genesis as a way to regulate the digital marketplace, a codification of best practices, as opposed to protection against malevolent hackers,” says Kolah, “and GDPR will make a lot more sense.”

That said, it’s hard not to conflate fears around what GDPR could do to your business with what Facebook’s going through in the wake of the revelation that consulting firm Cambridge Analytica amassed data from up to 50 million profiles that were used, via Facebook, to sway votes in favor of the 2016 Trump campaign. These actions contravene not only Facebook’s own rules, which forbid third parties from using any user data for commercial means, but had GDPR already been implemented – given that it’s not only applied to EU citizens in Europe, but anywhere they exist in cyberspace – this kind of data scraping, from that many profiles, would more than likely have fallen under its legal purview, and possibly cost Facebook four percent of its annual profits. (Facebook has reportedly lost about as many dollars of stock market value as there were affected users.)

Facebook founder Mark Zuckerberg has denied that the net-quaking profile harvest was any kind of theft at all, and this issue isn’t going to go away soon. But to bring the issue into a more earthbound context, if, say, a medium-sized company has followed Kolah’s advice and retained legal counsel to ensure compliance, what would happen should they experience an involuntary breach?

Kolah maintained that each situation will be unique, but laid out the basics for what an action plan could look like:

• Identify risk in areas of your business or service at high risk of data breach.
• Mitigate the risk by tightening up porous areas which can be carefully monitored.
• Record your efforts to mitigate risk, to increase transparency, and protect your company should a data breach occur.

The biggest takeaway is that training is your first line of defense. Anyone in your company handling data that relates to information of EU citizens protected by GDPR should be schooled in handling this sensitive information appropriately.

“If your company experiences a data breach,” warns Kohla, “you can be sure HR will be paid a visit, and the first thing these government agents will ask for is your training records.”

But, he noted, good faith efforts like training will certainly move the needle in your favor if you find yourself on the wrong side of GDPR:

“I don’t think the EU will be chasing anyone down the street with random punishments. They are much more concerned about people who will deliberately put millions of people’s data at risk without blinking an eye in the name of profit.”

Right now, in every business leader’s head; while no one knows 100 percent how they or their business communities may be affected, for the time being, it’s most important that your business is seen as being trustworthy with sensitive personal information, the kind of trust that Facebook, a harbor for billions of online profiles and thus saleable personal data, is bleeding, profusely, right now.

Now that you know what the GDPR will require of you legally, and, in principle, by design, we enlisted one of our own Smartian brainiacs to share what product designers are dealing with on the ground, and in practical terms. You’re welcome.

There are many takes on how to bring your company into GDPR compliance by May, but while your amazing product and legal professionals are busy interpreting the letter of the law, the next step is to work within those definitions to manifest the requirements into simple, clear UX for end users.

In SmartRecruiters’ case, we have several users to think about, and we needed to remove recruiting teams’ worries about “Am I being compliant?” while also being upfront with candidates about what we’re doing with their personal data.

So what is that sweet spot on how far to technically and legally push the design in end-users’ favor, without your site’s front-end looking like a multiple-choice questionnaire?

Keep asking questions

Once you have a list of GDPR requirements laid out, such as where in your product you require active consent, where you need to provide the opportunity to withdraw, etc, start the design process by asking yourself some questions:

• What exactly are you doing with visitor information/data?
• What can I do to make for a smooth user experience?
• How do I balance that smooth experience with my own technical and business needs?

Allow us to work in hyperbole to give you some examples. For instance, if you allow users to create profiles on your site:

This is Bad UX

We know you want to prevent users from deleting their profiles, but you shouldn’t put a long flow in a way that a user might feel disappointed, rushed, or any combination of less-than-positive emotions. Not only would friction alienate these users, this would also not fit the GDPR  requirement for “easy access”.

There is also Too-Literal UX

A big red button hits the requirements of “easy” and “clear,” but that kind of prominence obviously increases the likeliness of a click, which would come at a cost to you in higher numbers of deletes/withdraws.

Aim for Sweet-Spot UX

Human mental models dictate that scrolling down is often where the action is. Footers are normally where you find unsubscribes in emails, sitemaps on websites, and they also keep exit actions out of a users’ line of thought, while not making them inaccessible either. In this case, it would be appropriate to place any “manage” or “delete” actions in a footer. But if you have the time, you can always user test to make sure this holds true for your context.

Be Clear and Honest

Once you have the answers to the questions above, ultimately the key is to be clear about your intentions.

Think about why GDPR is there in the first place: to give the sense of control back to users. Build this into your user flows. If they no longer want their data associated with you, understand why instead of going on the defensive. Where would they intuitively go to withdraw their consent? Do they know exactly what that means? How can we make it clear what happens when they press the button, enacting their “right to be forgotten”?

Forming and answering these questions can be fun, and approaching any regulation design in this way transforms compliance into less of a begrudgingly implemented requirement, and more of a way to do your duty in making the internet a better place.

When the European Union’s new data privacy rules are implemented on May 25th, the way the web is regulated will change forever, and it’s not just a legal issue. After the lawyers, product designers are next in the compliance hot-seat.

You’re no dummy. You’ve known for a while now the European Union’s General Data Privacy Regulation becomes enforceable on May 25th. You know that whether based in Europe or not, if you do business with an EU company or have even one European citizen on your payroll, you’ve had to rejig how you store personal data, either compiled internally on your servers, or gathered from your company’s website, be it from customers, new-hire candidates, or employees. You’ve consulted your legal department and even retained outside counsel to assure that when the clock strikes midnight on May 24th – in GMT+1, of course – none of your company departments will be left hanging in the breeze.

So where do you start when compliance means working backwards?

And since you’ve got that sorted, the next step is to examine how GDPR compliance will affect your product design, because chances are you have a website, and we’ll lay down cash money it wasn’t designed with GDPR in mind. So where do you start when compliance means working backwards?

The keywords here are Explicit Consent, and there are a few steps you need to follow.

The first thing to consider is permission. While we’ve grown accustomed to Silicon Valley software asking to access our smartphone cameras, photos and address books – and for the most part, forking over this intellectual-property gold without a second thought – GDPR demands that for you, digital business master, when an individual uses your website, they are provided clear notice that their data is being gathered, and given the choice whether, or for how long, you can store their data – anything from an email or a phone number to more complex information you could feasibly sell to other parties. The keywords here are Explicit Consent, and there are a few steps you need to follow.

Request Permission

By now we are used to clicking away the cookies permission box like a fly at a picnic, so your first line of site adjustment can be as easy as altering your cookies pop-up to include a permissions box to store visitor/customer data. In GDPR terms, this is an active opt-in, and in addition to this, visitors must be informed, in the sense that if you’re redesigning your pop-ups, you must make it clear that personal information may be shared, for either commercial or analytical purposes, and provide a clear choice to opt-in, or not.

Unbundle Your Presentation

The presentation of these terms and conditions must also be unbundled, which means personal data information must be presented outside the usual terms and conditions you may already have in place, and the methods and third parties of how the information will be shared must be named. If a user consents to have their data shared and, say, in a few minutes, days, weeks or months changes their mind, it must be easy to withdraw from data sharing.

Create a Framework

If, by chance, you’re a new business building your website, you have the advantage of being able to take GDPR into account from the ground up, and you’ll be pleased to discover there’s been a privacy framework kicking around since the nineties, called Privacy by Design, though its true urgency is just starting to be appreciated.

If you’re found to be non-compliant after May 25th, fines can reach €20 million!

Even if you’re dabbing beads of relief off your brow because GDPR doesn’t specifically apply to you, if you’re found to be non-compliant after May 25th, fines can reach €20 million, or four percent of your yearly global gross, whichever is higher. Not fun. But security-wise, this is the way the web is going, and a bit of forward thinking now could save you several migraines later.

Lawyers are often thought of as terrifying, stern, bespectacled types. SmartRecruiters’ Valerie Bertrand proves you can know your legal jargon and how to have a good time.

If you work for a company that conducts any business in or with Europe you’ve no doubt heard a certain acronym thrown around the office with increasing frequency, and intensity: GDPR.

If you haven’t, you might want to start shouting it yourself, because avoiding the General Data Protection Regulation could prove very expensive.

At SmartRecruiters, we’re living in a GDPR-stress-free zone, thanks primarily to our Head of Legal, Valerie Bertrand.

Valerie joined SmartRecruiters in August 2017, following successful careers in both the public and private sector. To us legal laypeople, the day-to-day work of company lawyers can seem slightly mysterious, even a bit daunting. I spoke with Valerie about how she came onboard and how her legal work has changed through the years. The first topic, unsurprisingly, was GDPR:

We recently attended a TruBerlin event in which a lot of conversation was concerned with GDPR. What has been the general feedback to GDPR in tech circles? Fear, confusion, readiness?

I think European companies are really focused, though it depends on each country. We had three webinars in December about GDPR; in France, England and Germany. You can measure the interest by the number of attendees. In Germany, there were more than 200, which is quite big. In France there were around 70, and 60 in the UK. We also ran a webinar for the US, but the audience wasn’t so big.

A lot of companies are concerned because they may not be compliant.

You mentioned the UK. Do you have any inkling how Brexit could affect GDPR?

I had this question raised at the UK webinar. I think a lot of people are concerned. I cannot predict the future, but in the UK you have an authority for data protection already, the ICO. And so far they speak a lot of about GDPR. It suggests they are telling UK companies to be compliant. For UK businesses, they’ll continue to transact business and process candidates from Europe. So I think UK companies have no choice but to comply. Let’s see.

A quick perusal of your resume shows you’ve also done legal work government institutions. What are the biggest differences you’ve found in tech and recruitment?

Before SmartRecruiters I was with the German Institute for Urban Affairs, an entity with funding from local authorities to conduct scientific research. I was in charge of tenders, contracts, checking supplier terms, vendor conditions and so on. You have to apply rules, and you have a time-frame you just have to comply with. For government, you have a lot of time, and a lot of people involved at every step. It’s positive sometimes because you have time to think about your project, but here, everything is for today, or tomorrow, so you have to act much quicker.

Are there any unique challenges to SmartRecruiters?

I decided to join SmartRecruiters because I knew I had a lot to do in the beginning, since the legal function was new here. The were no lawyers, so I had to build from scratch. That was the big challenge and still is the big challenge.

So this is different to what you’ve done previously in this sector?

Yes. I worked for Lumesse before, which had a big team compared to here. I had four people with me. I know the sector, so the industry of SmartRecruiters is not new for me, but the project here is innovative and novel compared to what I’ve seen in the past.

And you prefer this freedom compared to, say, working in the government sector?

Yes. One of our values is that ‘you are your own CEO’. And I like this. Especially when dealing with this volume of work, it’s very important to like what you do.

What was it that made you want to work in legal?

After college I had no idea what to do, to be honest. So I chose law at university because I thought, “Yeah, why not?”. I discovered different faces of the profession, like, in France, you have solicitors, but I didn’t want to go to courts and plead and so on, but  I chose to work as an in-house counsel because I like to work with different profiles – engineering, sales, finance. I like to advise people and not only work on the big matters.

So if I was launching a tech startup in Berlin or elsewhere, and I asked you for some legal advice, what would you tell me?

Make sure you have all the intellectual property rights to develop your business. With technology especially, you have to protect your intellectual property and make sure it isn’t owned by someone else. Sometimes you attend conferences and hear presentations of products and you think “that is not new”. So make sure your business is really new and fully protected.

Legal can sometimes seem quite dry and serious. What do you do to in your free time?

The classic one. I have two kids – 15 and 10. It is not a secret they keep me busy. Music is a big passion for me, so when I have time I like to go to concerts.

Classical?

No. Rock!

Oh really? What kind of stuff?

Everything, but especially indie. Y’know, all The Smiths, all Oasis. But also artists like Rufus Wainwright and MGMT. I also like theater and movies, but if I have to spend money on an outing, my preference is a concert.

What was the last concert you went to?

Black Rebel Motorcycle Club. But before that was a classic one, The Rolling Stones in Paris.