What is GDPR and why is it needed?
Developments in technology mean it is easier today than it ever has been to share data and information. It is especially easy to share personal information such as email addresses, social media posts, CVs and photos – information which we as individuals may not wish to be so freely shared. Previous EU legislation has been considered ineffective in giving rights to individuals surrounding the provision, storage and usage of their personal data and so the General Data Protection Regulation (GDPR) was adopted by the EU Parliament in April 2016 to replace these previous data protection regulations. GDPR is designed to harmonise data protection across the EU and ensure that the data of EU citizens is properly protected no matter where that data resides, and it and will be enforced from May 2018.
But aren’t we leaving the EU?
We are – but not until after May 2018 and therefore the UK must comply. Once we leave the EU we must enforce our own Data Protection legislation but for now, we must comply with the EU, and UK law is likely to replicate what will by then already be in place.
What do we mean by ‘Data’?
‘Data’ refers to any information related to a person or ‘Data Subject’ that can be used to directly or indirectly identify the person. The data can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. The new GDPR legislation applies to all companies processing and holding the personal data of persons residing in the EU – no matter where those companies are located – and it is centred around ‘consent’.
Consent, Consent, Consent
GDPR aims to strengthen the conditions for consent to receive, process and store data from individuals who will also have the right to change, amend and gain access to their data as well as to know how their data is being used and to request copies of it. It must also be as easy to withdraw consent as it is to give it and there will be a ‘right to be forgotten ’ – essentially the right to have data removed.
Security & Breaches
GDPR aims to better regulate how data is controlled and processed securely and breach notifications will become mandatory (within 72 hours of occurring) of any data breach likely to ‘result in a risk for the rights and freedoms of individuals’. The penalties for violations surrounding consent, processing or the core privacy concepts are costly – 4 percent of global annual turnover or €20 million, whichever value is greater, for the most severe infringements. Therefore it is vitally important to be properly prepared with just three months to go until the deadline.
Act Now
There is no doubt that GDPR is going to shake up the recruitment industry – it is the biggest change in data protection laws in over 20 years. The important thing is to have clear, comprehensive and compliant procedures and policies in place that will inspire trust from all stakeholders.
Start now by undergoing a risk assessment, ensuring you appoint an impartial Data Protection Officer (if you have more than 250 employees this is a legal requirement) and undertake an audit of your current database so that you know what information you hold, how it is organised and maintained and how you process the data. The next step is to examine your legal basis for using that information. We have talked about consent, but this is only one of six of the lawful bases under which you may process someone’s personal data.
Click here for more information including a 12 step plan to help you to prepare for GDPR: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/