GDPR Overview

GDPR stands for The General Data Protection Regulation. It’s a set of rules designed to cover data protection for residents of Europe and is the successor to the Data Protection Directive. The rules are in place now, but they are not being enforced until May 2018. The difference in terminology is important. A Regulation is much more robust and enforceable than a Directive.

All EU citizen data is within scope of GDPR, irrespective of the geographical location of the firm responsible for the data. In other words, non-EU firms handling EU citizen data will still have to comply with GDPR. The vote for Brexit does not affect the applicability of GDPR to the UK. In addition to this the ICO recognises that the current DPA is woefully out of touch with changes in technology / data practices and have stated that they will be producing legislation of comparable strength to the GDPR.

If you store information on European citizens (referred to as Data Subjects) in a database, outlook contacts, a spreadsheet, paper files or anywhere else – you need to follow the new rules.

Although many of the rules are similar to the current directive, the key differences are as mentioned this is a regulation rather than a directive and more importantly we have the size of the fines for infringement.

The rules allow for fines of up to 4% of the annual worldwide turnover of an organisation or EU20 Million – whichever is the higher.

Many recruitment firms may not wish to risk a fine that could destroy the business! Further, GDPR explicitly gives data subjects the rights to compensation in cases of relevant non-compliance.

GDPR requires all personal data collected to be gathered lawfully, and for specific purposes only. In addition, it must be used solely for the purposes for which it was collected.

Consent to store or process data has to be explicitly given by a clear, affirmative action.

Consent is not indefinite, time limits needs to be established for erasure or review and consent can be revoked at any time.

Whilst it appears that some publicly available data is exempt (where a log-in is required to access the data, it is unlikely to be defined as publicly available) any commentary or information about the candidate which goes above and beyond this (and could potentially impact on a person missing out on an opportunity) would not be.

A data subject is entitled to request access to any data held about them (and this should include any notes and comments about the data subject). They also have the right to rectify or erase the information. Typically, recruitment firms will be unable to charge for this service, and it should be provided “without undue delay and at the latest within one month of receipt of the request.”

Where data has come from a source other than the person, the subject is entitled to know from where it originates. This will potentially impact on confidential sourcing. Candidates will need to be told and consent established within 30 days of the collection of the data.

Decisions based purely on automated processing are not allowed. However, so long as human intervention is involved, this should not be problematic. Technologies associated with automated “Searching and Matching” of candidates to jobs may be more problematic.

In the event of a data breach, notification should typically occur within 72 hours.

There are new rules relating to the transfer of data outside of Europe. Currently, only 11 countries are considered “adequate” from a data protection perspective. If you wish to send data overseas, you will need a legal justification for it. Data transfer to the US is covered by the “Privacy Shield” and your vendor should already be registered for it. We are on that list but unfortunately, very few recruitment solution providers are currently.

All of these rules are true for data that you may collect in future – but also for any data you have previously stored in your systems. The fact that data was stored before the rules kicked in will not be considered a justification for not treating it appropriately.

If you require further assistance please contact Voyager on :

Visit our website for future events and clinics www.voyagersoftware.com

If you would like to make suggestions or have found any errors with this Help section please complete the query form here