GDPR - Data protection with teeth
14 April 2016 saw the European Parliament approve a new General Data Protection Regulation (GDPR) which will make changes to data protection legislation across the European Union, and including the UK.
How will this affect Recruitment Agencies?
Recruiters handle large amounts of personal data as part of their activities when registering candidates, supplying them as temporary workers and/or placing them into permanent roles with clients. As such, staying on top of data protection laws is a key priority.
- As of May 2018, the EU General Data Protection laws will be changing
- You have a limited time to get your plan in place and policies into action
- Non-compliance could see you fined 5% of your turnover – for each breach
As far back as four years ago, the European Commission determined that there was a need to overhaul the data protection provisions throughout the EU to provide a more harmonised approach. Since then the Commission and two other institutions (the Parliament and the European Union Council) have been in negotiations about the terms of the new GDPR.
The new GDPR will replace the existing European directive making it necessary for the UK to introduce new data protection legislation which incorporates all of the changes.
The UK and other EU states will have up to two years to bring legislation into force, although the UK’s data protection watchdog (The Information Commissioner’s Office (ICO)) anticipates that the changes could come into force in the middle of 2018.
9 points you’ll need to get to grips with.
Obtaining consent - There is currently a general requirement to have an individual’s consent in order to ‘process’ their personal data. ‘Processing’ includes many forms of handling personal data such as obtaining it, storing, disclosing and many other activities that utilise the personal data.
The definition of consent -The GDPR has tightened up the definition of consent meaning that individuals will need to give ‘clear and affirmative’ consent to the processing of their personal data.
Businesses will no longer be able to rely on implied consent - Or silence, or inactivity as a means of consent.
Pre-ticked boxes will no longer constitute consent - This includes online registration forms, and ‘I agree’ boxes. Tactics such as the use of pre-ticked boxes on websites
Verifying consent - Businesses and organisations will also need to have clearer processes in place to substantiate how consent to process personal data was obtained and retain evidence of the same.
Do you have a Data Protection Officer? - Some organisations and businesses will be required to appoint a Data Protection Officer (DPO). The requirement may be tied to the number of employees within the business or organisation; one proposal is for there to be a requirement where there are more than 250 employees. At present it is not clear whether that figure, in the context of a recruiter supplying temporary workers, will include both temporary workers as well as the substantive staff. Alternatively the other proposal is to tie the need for a DPO to the amount of personal data processing that is carried out so that only businesses and originations processing personal data of large number of individuals will need to comply.
Application to countries outside the EU - The GDPR makes provision for the new rules to apply to businesses and organisations that are based outside the EU but which nevertheless offer goods and services to residents within the EU. Recruiters in the UK that provide services across the EU will still need to comply with the changes.
Penalties for non-compliance - The new provisions will include more significant penalties for breaches. Although the penalties are not yet set, this could range to up to 5% of a business’s or organisation’s turnover. It is expected that regulators in each country (the ICO in the UK) will decide the actual level of fines for their respective countries.
Portability - As part of the GDPR’s objective of giving individuals more control over their personal data, a new right of ‘data portability’ will be introduced. This will make it easier for individuals to have their personal data switched from one service provider to another.
If you, your staff or business are not placing enough importance on how your data is being captured, tracked, monitored and secured then get in touch for an informal conversation on how Voyager can track and manage your key asset.
"Things change fast in Recruitment and so this is my understanding of the current system, you’ll need to do your own homework to understand how it impacts on your business specifically."- Paul Thompson
- ICO.org.uk has produced a 12 step guide which sets out actions that can be taken now in preparation for the new rules.
- The REC will report back on how the changes will affect the recruitment industry – we suggest you join
- GDPR Portal - www.eugdpr.org
- Office 365 Blog - Privacy authorities across Europe approve Office 365 privacy commitments
- Privacy authorities across Europe approve Microsoft’s cloud commitments