Recruitment and GDPR – what does it all mean?
On 25th May 2018, new EU legislation will be released, making it clear that General Data Protection Regulation is coming. Its aim is to replace the current Data Protection Act (DPA) with the aim of merging data regulations within the EU, providing an increased level of control over personal Information. However, one thing to note is that even though this is an EU initiative, it will not be affected by Brexit.
If the data controller, processor (organisation) or the data subject (the person) are located in the EU, the regulation will apply. However, even for those organisations outside of the EU, the GDPR will apply should they process personal data of residents who live in the EU. Personal data could cover a name, an email address, bank details and even a photo although it is not specifically defined by the legislation and so, regional differences need to be taken into account. Holding data about individuals holds you responsible for the way in which it is stored as well as making sure that only those who are authorised have access to it. The way in which data is shared is also important and so, the right controls have to be put in place.
As a recruitment agency, now is the time to evaluate the data you hold for recruitment purposes and the data you need to cleanse.
Your recruitment process and the key elements
Under GDPR, individuals should have the right to access subjects, have inaccuracies corrected and information erased. They should also not be exposed to decisions that are based on automated process unless you have been given sufficient consent, as they will have the right to appeal the decisions made. If your recruitment process involves an element of automation, you must be honest about what you are doing and obtain the relevant consent. However, you will be required to update your privacy policies so they include any new information that you are required to tell people such as what you do with their data.
What are you required to do?
You will need take responsibility for the data you hold and review your policy and procedures. You will also be required to make it clear how you will obtain data by having the correct consent. There is a requirement for you to make your policies and privacy notices as open and honest as possible but you must also respect the wishes of individuals if they want to be removed from the data you hold. You will also be required to ensure that someone is in control and takes charge of data protection.
Dealing with a Data Breach
A data breach in this instance would involve causing harm to individuals through their personal details being compromised. However, it does not necessarily mean that the reliability of the business is lost.
Therefore, becoming compliant with GDPR and understanding all there is to know about it will ensure you handle data and control data in the right way.