The new General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
All organisations need to consider GDPR as some way or another it is going to affect your business. GDPR applies to ‘personal data’ and all businesses store some form of personal data whether it is HR records, customer lists, or contact details etc…held in a digital/automated format or in manual filing systems. Due to the data that the recruitment sector holds the nature of the relationship between candidate and recruiters will change and the firms that adapt to those changes will ultimately have a competitive advantage.
There are increased rights for data subjectsThe rules on data breach reporting will tightenYou need to have and be able to justify a legal basis for processing personal dataYou need to ensure the security of the personal data you holdThere is increased emphasis on record keepingYou need to have a defined data retention policy – you cannot keep data indefinitelyThere will be considerable fines for those that fail to comply
One of the main changes that differs to the current Data Protection Act is the new accountability principle. The GDPR requires you to show how you comply with the principles – for example by documenting the decisions you take about a processing activity.
If you have not already referred to it we would recommend you review the Information Commissioner’s (ICO) website as it is a really useful guide – in particular it is worth consulting their ‘12 steps to take now’ https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf.
To get the ball rolling, if you have not already done so, a few points that you need to bear in mind:
There are two extreme and conflicting myths – “I don’t need to do anything” and “I have to delete everything”. Both are wrong but you do have to action a bit of both. GDPR applies to all the applicable data your organisation controls regardless of its age.You do need a valid legal reason for processing personal data – do you have consent to market to all candidates on your database? If not, then you don’t need to delete it but you do need to audit what you have and take decisions on how to gain consent.You are going to have to notify candidates you have their data, you can control the communication that you send out to your database use it to your advantage. Candidate engagement will be key as they will be receiving a lot of similar emails!You need to ensure that the candidate is happy for you to continue to process their data.In terms of the recruitment sector candidate data Legitimate Interest is gaining favour – “Legitimate interest” means that when you look at the overall needs and rights of the data controller (you) and data subject (your candidates), there will be times where you don’t need to ask for consent to collect, store, use, disclose, process, destroy or otherwise “process” personal information.
Our notes here are just dipping a toe in the water of GDPR. What you need to know is that it won’t go away and you will be affected so you do need to prepare…