The General Data Protection Regulations (GDPR) will be coming into effect from the 25th of May 2018. The new regulations are similar to those under the Data Protection Act (DPA) and therefore, if you are presently compliant with your data handling, preparing for the GDPR should be straightforward. Our article will provide some useful information to help your recruitment agency understand the new regulations and prepare accordingly.
An overview of the General Data Protection Regulations (GDPR)
The GDPR will take over from the Data Protection Act (DPA) on the 25th of May 2018 and has been created with the intention of updating data regulations and putting them more in line with the forever developing digital world. Whilst the regulations are very similar to the ones already in place under the DPA, there are new rules that your recruitment agency will need to learn, as well as changes that you will need to be aware of and have implemented by the 25th of May 2018.
A summary of GDPR
- GDPR – The General Data Protection Regulation.
- The new GDPR regulations come into effect on the 25th of May 2018.
- The GDPR will be taking over from the DPA, but has many similarities.
- The way you word your data collection information and privacy statements must be done in clear and simple to understand language.
- The individual must actively decide they want to share their personal data with your recruitment agency (for example, by clicking a box on a registration form and confirming the decision via a URL on a validation email).
- From the 25th of May 2018, your recruitment agency can no longer market to anyone who has not given you explicit permission – unless it is a company.
- If your recruitment agency has a data breach, you will need to report it to the Information Commissioner’s Office (ICO).
- Your recruitment agency must be able to prove that an individual has opted to share their data with your business. They must also have made it clear they know exactly what your recruitment agency will be doing with their personal data.
- Penalties for non-compliance are potentially devastating (up to €20 million).
Becoming GDPR ready in 12 steps
The ICO has released 12 steps to help organisations effectively prepare for the GDPR. Below is a summary of all 12. For a more thorough analysis, please visit the ICO website.
With careful planning, your recruitment agency can move forward with total confidence in you data handling.
1) Being Aware
It is critical that the people who handle data in your recruitment agency are completely familiar and comfortable with the GDPR. It is likely a majority of your agency’s staff will handle sensitive data and consequently it is critical your entire team is made aware of the new regulations.
2) Holding Information
Identifying the data that your agency works with and has in its archives should be made a priority. For example, what CV’s do you have, how do you contact your candidates, what marketing do you carry out, etc.? It is important to note what data you have and who you share this information with.
3) Providing Information on Privacy
Your privacy notice will need a thorough review. When collecting data, you must let the individual know why your agency is collecting the data and how you will be using it.
For more information, please consult the ‘Privacy notices under the EU General Data Protection Regulation’ provided by the ICO.
4) The Rights of Individuals
It is key that your recruitment agency is easily able to identify all of the data you have on an individual so that it can be deleted immediately, if they request it to be. The ICO confirm that the “main rights for individuals under the GDPR will be”:
- Subject access
- To have inaccuracies corrected
- To have information erased
- To prevent direct marketing
- To prevent automated decision-making and profiling
- Data portability
5) Requesting Subject Access
Under the GDPR, you will have just one month to provide the individual with the information they request (a shorter time frame than the DPA). Your agency will also need to provide extra information including your data retention period.
The GDPR will see the removal of the £10 fee that organisations have been able to charge individuals for requesting their personal data. However, you will still be able to charge “a reasonable fee” is the request is “unfounded, excessive” or “repetitive”.
For example, if an individual contacts your agency and asks for you to confirm every piece of information you have on them, you must provide this within 31 days or your agency could face a penalty for non-compliance.
6) Handling Personal Data – Legally
Your recruitment agency will need to understand your legal basis for handling and using the personal data of others, as well as recording it in an easy to understand log.
7) Obtaining Consent
Obtaining consent from individuals so that your recruitment agency can use their data is changing. Consent now has to be a “positive indication of agreement”, meaning you can no longer have small, automatically selected options on electrical forms that read something similar to – “By submitting this form, you accept we can use your personal data…”
8) Rules with Children
Although it is unlikely your agency will have data for under 16’s, if you were to keep hold of children’s data, you must have the consent of a legal guardian. Not only that, you need to start planning how you will be able to verify an individual’s age, because this is a necessity under the new regulations.
9) Managing Data Breaches
If your recruitment agency is responsible for a data breach, in many cases you will be required to report this instantly to the ICO. If the breach means that an individual is likely to “suffer some form of damage”, including potential “identity theft or a confidentiality breach”, it must be reported immediately.
Now is the perfect time to introduce some procedures to ensure there are no data breaches in the future. If there is an unfortunate incident that is considered a breach by the ICO, having a response procedure will help your agency deal with the issue proactively.
The ICO strongly recommends your recruitment agency familiarise itself with their guidance on Privacy Impact Assessments (PIAs). A PIA will involve you using a series of carefully thought out tools to safeguard your data collection. The ICO also promote a “Privacy by Design” system that will help you plan in accordance to all the correct regulations – so the risk of a data breach is always minimal.
Your recruitment agency will need to appoint a member of staff as your business’ Data Protection Officer (DPO). This person, or persons, will need to be up to date with all of the GDPR regulations so that your business can adapt in time. If you do not currently have a DPO, you should appoint one immediately.
12) International Regulations
If your recruitment agency operates internationally, you will need to identify which data protection supervisory authority you fall under. If you are unsure, the lead authority will be the one that is located in the same place that your recruitment agency carries out a majority of its administration and where the important data related decisions are carried out.
What are the fines for GDPR non-compliance?
The introduction of the GDPR will see the fines for non-compliance with data protection increasing significantly. The fines that your recruitment agency could potentially face for non-compliance include:
- €10 million Euros or up to 2% of global turnover.
- €20 million Euros or up to 4% of global turnover.
Specialist support for your agency
Churchill Knight & Associates Ltd is proud to be a leading expert in our industry. In order to continue providing payroll services that are second to none, it is our responsibility to keep up-to-date with all of the latest news and regulations.
When you partner with us, you can be assured that you are partnering with an expert that you can trust. Our in-house Learning and Development team can provide specialist training for your consultants on a variety of hot industry topics, including the GDPR.