Pending Legislation to Affect Recruiters: The GDPR

Word Graphic - Rules

We’re way ahead of the game here but as recruiters, we handle a lot of sensitive data both of our candidates and our clients. Data privacy and adherence to the current Data Protection Act is paramount, however it’s all about to change with the introduction of the GDPR.

What Is the GDPR?

The GDPR stands for the General Data Protection Regulation. It’s been four years in the making and after being published in the Official Journal of the European Union on April 14 2016, officially came into force on May 25, 2016. However, there is a two year transition period meaning its provisions will be directly applicable to EU states on May 25, 2018.

It will replace the current Data Protection Act, and it’s set to be much stricter. One of the informational PDF documents from the Government detailing how to prepare for the GDPR is insightful and lists 12 main steps businesses can take to ensure they’re ahead of the two-year impending deadline. We’ve got a brief summary below of how to start handling your sensitive data. View the PDF directly here.

1. Awareness: People in your organisation should be made aware that the law is changing. For larger companies this may impact resources. Make compliance in two years time easier by raising awareness now.
2. Information You Hold: By the new rules, if you hold inaccurate data and have shared this with another organisation, you will be responsible for correcting it. Therefore you need to know the data that you hold, and where it came from.
3. Communicating Privacy Information: Your privacy policies will need to be updated to incorporate the new things you need to tell people such as your legal basis for processing their data – this will need to be done in clear, concise language.
4. Individual’s Rights: Rights for individuals under the GDPR will include: having subject access, inaccuracies corrected, information erased, the ability to say no to direct marketing and automated decision making and the right to not be profiled by their data.
5. Subject Access Requests: Subject access requests will have to be dealt with in a month as supposed to the current 40 days. Additionally, you won’t be able to charge for complying with a request anymore.
6. Legal Basis for Processing Data: You will have to explain your legal basis for processing personal data.
7. Consent: You need to review how you are obtaining consent and ensure it adheres to the GDPR.
8. Children: The GDPR will bring in special protection for children’s personal data – particularly in the context of commercial internet services.
9. Data Breaches: Some organisations already have to notify the ICO of a data breach, this will become the case across the board.
10. Data Protection by Design & Data Protection Impact Assessments: This will become a legal requirement.
11. Data Protection Officers: The GDPR will require some organisations to designate a data protection officer and this is recommended.
12. International: Lastly, it’s a complex but important job – but for organisations operating internationally they need to determine which data authority they come under.

It’s a lot to digest but there’s no harm in being the early bird catching the worm! Things will get a lot stricter around data protection and recruiters and business owners alike should start looking at adhering to the pending regulations now.