In less than 9 months’ time, the General Data Protection Regulation (GDPR) will come into force. This will be the biggest shake up to Data Protection laws in some time, given that the current law governing Data Protection dates back to 1998.
As you have surely heard, the new rules will see some large fines imposed on those who do not comply, and as such there are some steps that you can take now to help to ensure you are fully compliant before 25th May 2018.
Decide how you will obtain consent
Recruitment Businesses usually rely on an individual’s implied consent as the basis for processing their data. For example, when a CV is submitted this is generally considered to be implied consent to pass their details on to Clients for specific roles.
Under the new rules, consent must be freely given, it must be specific, informed, unambiguous and requires affirmative action from the individual.
Start to think about how you will obtain consent from old and new candidates from May next year. Do you have a finite list of names of those whose information you hold on your databases? Will you contact them by email or letter? What wording will you use to ask them for their consent?
The GDPR will require you to pull up your socks in regards to record keeping and paper trails. You may be asked by the Information Commissioner’s Office to provide copies of your data protection policy, as well as demonstrate to a good standard how you are keeping data secure.
Do you know what data you have as a company? Do you know what your current policy on data protection is and who safeguards this? Do you know who in the company has access to what data? Could your data security be stepped up by way of encryptions or pseudonymization?
Giving individuals access to their data
An individual has always been able to request a copy of the information you hold about them for a small fee. An application would need to be made and a charge of up to £10.00 would be payable.
Under the new GDPR, in addition to obtaining a copy of the data, an individual can require that you permanently and irrecoverably delete their information, they can require that you rectify (or “update”) the information if it is incorrect or incomplete, and they have the right to prevent you from taking certain actions with the data, for example marketing or for scientific/historical research.
Who handles subject access requests at present? Who will handle these new, more complex requests from May onwards? Will a Senior Manager be able to add this to their workload or will you need to hire new staff?
At TBOS we recommend that our Agencies start preparing for the GDPR now and make decisions on the questions above as this will take some of the pressure off in May 2018. For guidance and to discuss your options under the new rules you can speak to us on 0845 881 1112.