GDPR, or the General Data Protection Regulation to use its full title, comes into force across the EU in a matter of months.
It will apply in the UK from 25 May 2018 – regardless of Brexit – through a new Data Protection Bill, which is currently working its way through parliament.
This will replace the existing Data Protection Act, which is now 20 years old and seen by many as unfit for purpose in the digital age.
The subject of much debate in boardrooms up and down the country, GDPR will affect recruitment agencies and their supply chain partners in common with all other businesses.
In this post we look at some key considerations for agencies and assess how significant a change GDPR will be for the recruitment sector.
GDPR overview and background
GDPR is designed to strengthen individuals’ rights and protections and ensure organisations handle data responsibly, with tough penalties if they don’t.
It will have an impact on all aspects of how businesses obtain, handle, store and delete personal information.
The Information Commissioner’s Office (ICO) will be responsible for enforcement in the UK.
A fine mess?
One reason for the hype around GDPR is the level of financial penalty that can be imposed in the event of a breach.
As you may already be aware, under GDPR the ICO can impose up fines of up to 20 million euros or 4% of company turnover / revenues – whichever is greater.
Less serious breaches could result in a fine of up to 10 million euros or 2% of turnover.
To put that in context, under the Data Protection Act the maximum fine is £500,000.
The ICO has said that it will take into account the circumstances surrounding the breach when assessing the level of fine.
Getting down to detail
Article 5 of GDPR requires that personal data must be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and kept up to date;
- Kept in a form which permits identification of data subjects for no longer than is necessary; and
- Processed in a manner that ensures appropriate security of the personal data.
We have edited the above points in the interests of brevity, but you get the idea.
To summarise, businesses need to handle their customers’ data with care, implement robust security measures and ensure they aren’t doing anything reckless or untoward.
Personal data and GDPR
For the processing of personal data to be lawful under GDPR, an organisation will need to identify and document a lawful basis for doing so.
The first port of call is consent. If you are relying on the individual’s consent, however, be aware that the consent must be:
… a freely given, specific, informed and unambiguous indication of the individual’s wishes.
In other words, pre-ticked boxes won’t do!
If it isn’t practical, necessary or possible to gain consent, alternatives exist when processing is necessary for:
- The performance of a contract or to take steps to enter into a contract;
- Compliance with a legal obligation;
- To protect the vital interests of a data subject or another person;
- The performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- The purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Rights and protections
GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA.
From 25 May individuals will have:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure, also known as the right to be forgotten;
- The right to restrict processing;
- The right to data portability;
- The right to object; and
- Rights in relation to automated decision making and profiling.
On this topic, businesses will need to have in place a process for dealing with access requests.
Information must be provided to the individual free of charge and within one month. Again, this is tougher than the existing DPA rules.
How big a deal is GDPR for the recruitment sector?
The recruitment industry is clearly sitting up and taking notice of GDPR, if the REC’s series of sold-out workshops are anything to go by.
We’ve all seen the scaremongering LinkedIn posts and had the sales calls from companies who see GDPR as one big sales opportunity.
The truth is that GDPR isn’t the Armageddon that some have suggested, but nor is it an irrelevance.
Essentially it represents a tightening up (and extension of) existing data protection rules.
Next steps for agencies
Recruitment businesses by their very nature collect and store a lot of personal data.
As such, it makes sense for an agency to review its existing systems and processes and identify any changes that need to be made.
Due in part to the relationship between data controllers and processors under GDPR, if you’re a recruitment agency director it’s also a good idea to review your suppliers’ data security and protection policies.
ADVANCE’s approach to GDPR
As a business ADVANCE is taking a pro-active approach to GDPR.
We are currently reviewing and strengthening our already robust data protection processes and policies, and will soon be undergoing an assessment with a view to achieving IASME Governance certification.
The assessment, which will be conducted by an authorised IASME certification body and will involve an on-site audit, covers three security standards – GDPR readiness (data protection), Cyber Essentials (IT systems) and IASME Governance (IT/organisational processes).
Achieving GDPR readiness
The GDPR readiness assessment covers all 12 of the GDPR preparation steps recommended by the ICO.
The IASME Governance standard – which is based on international best practice – utilises a risk-based approach to assess a company’s information security, and includes aspects such as staff awareness, security policies and the technical controls which underpin these.
IASME is one of just five recognised accreditation bodies for assessing and certifying against the government’s Cyber Essentials scheme.
Additionally, we are looking to engage an external consultant who will review our processes and policies if and when IASME certification is achieved.
We have already undertaken the following steps:
- Risk assessment
- Data audit and asset register
- Review of all cloud providers and their approach to GDPR compliance
- Data mapping tool
- Cyber security vulnerability assessments (internal and external)
- Process and policy updates
GDPR – find out more
If you’re a recruitment professional and would like to know more about GDPR, including ADVANCE‘s approach to ensuring GDPR readiness, please complete this form and a member of the team will be in touch.
We are happy to answer any questions that existing or prospective agency partners may have.