Storing candidate data - How will the GDPR affect the recruitment industry?
Christine Jackson, commercial lawyer with Wright Hassall LLP
Recruitment: it’s all about leads, contacts and connecting people to businesses. It makes good sense to keep that candidate’s data; they will be ready for their dream role in just two-three years. We know the target business, and we keep the candidate warm, following up on the new job, asking after the family, staying close. That’s what recruitment is all about.
Is this about to change? Will the advent of the GDPR on 25th May 2018 stifle our ability to keep on top of these contacts? Is this the end of “How’s the new job going”, “Has Theo started school yet?”, “How did the knee op go?”
The GDPR is bringing more power to the people; it will impose controls on businesses to ensure the people have the freedom to take control over the data we hold about them (and in the above example, their family).
Do you know what is required of your business? How are you preparing for GDPR? Do you know that the UK Bill implementing the GDPR provides for personal fines for managers, officers and directors who should know, (but choose not to) or simply don’t know, what steps should be taken for GDPR compliance?
Below we list some initial critical (and time sensitive) steps/considerations that can be taken to prepare your business for May next year and to maintain a level of compliance with the GDPR going forward:
- Are you a data controller or data processor? This is vital to ensure you make the appropriate preparations as, although there is some overlap, particular requirements apply to each role. You may find you operate in both capacities depending on whether you determine the purposes for processing data (controller) and/or act on the instructions of a third party in respect of the processing of data (processor).
- Identify the lead supervisory authority. If you operate in multiple member states the “lead authority” will have primary responsibility for co-ordinating investigations across all authorities with respect to cross-border data processing activity, for example, in the event of a customer complaint, subject access request or loss of data. Identification of such authority will impact the steps towards compliance undertaken by the UK based business.
- Consider the need for a Mandatory Data Protection Officer. Does your business have to appoint a ‘mandatory’ DPO? You’re in the best industry for it, but nevertheless, the resource is hard to find, not least because of the expertise required, specifically, an in depth knowledge of the laws in all applicable territories. If you decide you don’t need a ‘mandatory’ DPO, you must document your reasoning, analysis and conclusion.
- Accountability. Data controllers must now keep a record of, and be accountable to provide on request, a wide range of information relating to the personal data it processes, including (but not limited to) categories of data subjects, of data types, legal grounds for all processing activity, the data processing activity itself, location of databases, transfers of personal data, retention periods, and so on.
- Perform a data audit. An audit should involve an overview of all the personal data you collect. For example, what types of data do you process, is it shared with 3rd parties, from where did you source the data, is it moved out of the EEA, and what legal grounds have you recorded for this processing? An audit is critical to understanding what you need to do to get compliant.
- Establish the legal basis bases for processing the data. Examples include “affirmative” consent, the legitimate interest of the company, or to fulfil a contract. Other legal bases also exist and must be recorded by the business.
- Raise Awareness. Staff training on the GDPR to be rolled out to all departments.
- Update contracts: Look at your existing contracts and update to include the mandatory data processor clauses.
- Readiness for new data subject rights. How far must you go to minimise the data you hold? Consider your existing processes and IT provision. What changes/developments are needed to act fast when an individual exercises its rights to rectify, erase, access or transfer their data?
- Review privacy notices. These will need to be updated and are essential in complying with the transparency obligations in the first principle.
- Internal policies and procedures will need to be created, reviewed and / or updated. New technology developments must be entered into only after careful assessment of privacy risks (“Privacy by Design” / Privacy Impact Assessments).
- Create a Breach Response Action Plan, and Subject Access Request Response Plan. Mobilise the business to act promptly in the event of a breach (notifiable within 72 hours) or if an individual exercises their right to request a copy of all data you hold about them. This can be more extensive than you may at first realise. For major breaches, the lead authority will look to see how the breach has been handled by the business, so inspections can and do currently happen.
In essence, GDPR needs to become part of each business in every aspect of its operations. If this is driven from board level, it will encourage the necessary culture change to ensure ongoing compliance from next May.
Picture courtesy of Pixabay