GDPR – WHAT YOU NEED TO KNOW
IN APRIL 2016, THE EUROPEAN PARLIAMENT APPROVED A NEW GENERAL DATA PROTECTION REGULATION (GDPR). THIS WILL HAVE A PROFOUND IMPACT ON DATA PROTECTION LEGISLATION ACROSS THE EU, AS WELL AS THE UK.
THE IMPACT ON RECRUITMENT AGENCIES
Handling large quantities of personal data is perfectly normal on a day-to-day basis in recruitment. Whether it’s registering candidates, supplying them as temp workers and/or placing them into permanent roles, the amount of personal data is quite astonishing. As a result, staying on top of Data Protection laws is a priority.
- As of May 2018, the EU General Data Protection laws will be changing
- You have a limited time to get your plan in place and policies into action
- Non-compliance could see you fined 5% of your turnover – for each breach
Four years ago, the European Commission decided there was a need to address and redefine the Data Protection provisions throughout the EU to provide a more harmonised approach. Since then, the Commission and two other institutions (the Parliament and the European Union Council) have been in negotiations about the terms of the new GDPR.
The result of this? The new GDPR will replace the existing European directive making it necessary for the UK to introduce new data protection legislation which incorporates all of the changes. Both the UK and other EU states will have a deadline of 2 years to bring the new rules and regulations into force, although the UK’s data protection watchdog (The Information Commissioner’s Office (ICO)) has forecast that the changes could be in place by the middle of 2018.
9 KEY POINTS TO UNDERSTAND.
Obtaining consent – There is currently a general requirement to have an individual’s consent in order to ‘process’ their personal data. ‘Processing’ includes many forms of handling personal data such as obtaining it, storing, disclosing and many other activities that utilise the personal data.
The definition of consent –The GDPR has tightened up the definition of consent meaning that individuals will need to give ‘clear and affirmative’ consent to the processing of their personal data.
Businesses will no longer be able to rely on implied consent – Or silence, or inactivity as a means of consent.
Pre-ticked boxes will no longer constitute consent – This includes online registration forms, and ‘I agree’ boxes. Tactics such as the use of pre-ticked boxes on websites
Verifying consent – Businesses and organisations will also need to have clearer processes in place to substantiate how consent to process personal data was obtained and retain evidence of the same.
Do you have a Data Protection Officer? – Some organisations and businesses will be required to appoint a Data Protection Officer (DPO). The requirement may be tied to the number of employees within the business or organisation; one proposal is for there to be a requirement where there are more than 250 employees. At present it is not clear whether that figure, in the context of a recruiter supplying temporary workers, will include both temporary workers as well as the substantive staff. Alternatively the other proposal is to tie the need for a DPO to the amount of personal data processing that is carried out so that only businesses and originations processing personal data of large number of individuals will need to comply. You’ll also need to train other members of your team – we recommend ISV Online for online GDPR training and testing.
Application to countries outside the EU – The GDPR makes provision for the new rules to apply to businesses and organisations that are based outside the EU but which nevertheless offer goods and services to residents within the EU. Recruiters in the UK that provide services across the EU will still need to comply with the changes.
Penalties for non-compliance – The new provisions will include more significant penalties for breaches. Although the penalties are not yet set, this could range to up to 5% of a business’s or organisation’s turnover. It is expected that regulators in each country (the ICO in the UK) will decide the actual level of fines for their respective countries.
Portability – As part of the GDPR’s objective of giving individuals more control over their personal data, a new right of ‘data portability’ will be introduced. This will make it easier for individuals to have their personal data switched from one service provider to another.
If you’re currently exploring the ways in which to more effectively capture, track, monitor and secure your data, get in touch to find out how Evolve could be your perfect partner.
Unlock your data