25 May 2018 – take note of the date as this is becoming affectionally known as “GDPR” day. It is the day when the old Data Protection Act 1998 is superseded by GDPR. The aim; to effectively standardise rules across the EU and create greater transparency, responsibilities and liability in relation to how data (held on individuals) is collected, used, shared, stored, transferred or deleted. While not officially confirmed, it is expected that the UK will continue to commit to observing GDPR post Brexit to maintain the harmonisation with the EU rules and general data market.
But what does this mean? GDPR, very briefly, places the burden of ensuring compliance on your entire organisation, especially functions like recruiting which rely heavily on collecting candidates’ personal data – their name, email addresses, possible medical requirements, telephone numbers or addresses. All information that would allow you to easily identify the individual.
The following are a few of the key areas of impact and how GDPR should be considered:
GDPR requires additional transparency in informing individuals about when (and why) their data is collected, processed and transferred. Traditionally, recruitment sector businesses have relied on an individual’s consent to justify the processing of their data. However, under GDPR, there are stricter requirements for consent – it must be clearly distinguishable from other matters, in an informed way and easily accessible form and must be capable of being easily withdrawn. Separate consent must be sought for separate processing activities (such as, for example, when a candidate has put his or her details forward for one vacancy and these are then used for unrelated vacancies or other purposes). We expect that most businesses will need to revisit and revise their current data collection and handling processes in order to comply with the new obligations. For example, some recruiters may need to ask existing candidates to re-register and remove any candidate who has not consented and to give candidates additional clarity about how they collect and use their personal data.
- Data “processing”
- Data Subject Rights
Under GDPR, individuals will have far greater rights as to how their data is used and accessed. These range from the “right to be forgotten” and have data erased, or where it is no longer needed or is factually incorrect (which could include cases where candidates or contract workers contest feedback about attendance or performance). A new right of “portability” of data is created – the right for individuals to demand that all of their data is transferred, in easily readable formats, to another provider. Both recruiters and employers will need to review their working policies and practices to ensure that they can comply with all of these individual rights.
Under GDPR there is a duty to implement measures to ensure a level of security which is “appropriate to the risk“. Appropriate measures may include: pseudonymisation and encryption of personal data; the ability to restore data in a timely manner in the event of an incident; and a process for regularly testing the effectiveness of security measures. This means that you may need to change your internal processes now in order to comply with GDPR.
The implications of GDPR are far reaching and impact on all aspects of your business. The above is a very brief snap shot into the implications of GDPR and if you wish to discuss any of the issues raised in this article, or for any advice or assistance, please do not hesitate to contact the recruitment team.