Robert de Souza, Chief Data Protection Officer, a featured speaker in our upcoming Data & Insight Conversation, joined us to discuss the impact of the new General Data Privacy Legislation (GDPR) on the in-house recruitment industry.
Robert will be discussing “How the New General Data Privacy Legislation (GDPR) Will Affect your Recruitment Processes”
Find out more about the Data & Insight Conversation here: Tickets & Agenda
Q: What is GDPR and why will it affect in-house recruitment teams?
A: The General Data Protection Regulation (GDPR) will become legislation in the UK in May 2018. It is designed to safeguard European Union (EU) citizen’s personal data privacy rights. GDPR will affect all UK and European organisations and any country doing business with any EU state. GDPR will give individuals far greater control and rights over their personal data in several ways including consent, the power to access your personal data, to rectify or erase information held about you, the right to be informed and the right to be forgotten.
There is no doubt, the changes to GDPR will have a significant impact on in-house recruitment teams. Any company that operates in the EU, or that processes data on EU citizens will be subject to GDPR, regardless of where information is stored.
GDPR will have a similar impact on technology suppliers in relation to tools that are used for managing the recruitment process, with those who act as a data controller or data processor will be required to comply with GDPR. In-house recruitment teams will have to show that their systems and technology are fully GDPR compliant.
With severe non-compliance penalties of EUR20 million or 4% of worldwide turnover, GDPR will make organisations fully accountable for their approach to data compliance
Whilst there are significant financial penalties for failing to comply with GDPR, GDPR provides an opportunity to improve the quality of data, strengthen relationships and demonstrate the value of your service.
Q: What can companies do to prepare for this?
A: You should be doing the following:
Your organisation at all levels needs to be made fully aware that the law is changing with the introduction of the GPDR.
Analysis has to be carried out defining your current ‘as is’ processes. A ‘to be’ process needs to be carried out in line with the new Regulation and a gap analysis preformed. This will indicate the work required to ensure your organisation will be compliant by 2018.
It would be beneficial at this time to create a ‘Risk Register’ if your organisation does not already have one. Implementing the ‘gap’ identified in the analysis could have resourcing impact, which would need to be considered in relation to organisational budgets
During the two-year period our organisation needs to prepare to implement significant change. The impact of that change should not be underestimated.
Information your organisation stores
A full information audit will need to be carried out to ascertain where and how all your data is currently held. Furthermore, your organisation will need to ensure that any future data storage plans fully align with the GDPR.
The GPDR has been brought up to date to consider a connected world. Therefore, if your organisation shares data with other organisations and the personal data is incomplete, your organisation will have to inform the other organisation of the missing data so that organisation is able to bring its records up to date.
By carrying the above your organisation will be complying with the GPDR’s accountability principles, which requires your organisation to demonstrate their compliance with the data protection principles such as having detailed and documented procedures and processes in place for the management of data.
How your organisation communicates private information
How your organisation communicates private information will need to comply with the GDPR and thus changes will need to be made.
Under the new Regulation there is additional communication to individuals that will need to be considered. One of these changes is that your organisation will need to explain the legal basis for the data your organisation is processing and how long your organisation intends to retain that data.
Individuals will have the right to complain to the ICO if they feel your organisation is mishandling its data. This can lead to an investigation by the ICO which could lead to a fine is a breach is identified.
Rights for the individual
Your organisation needs to ensure that their procedures cover individual rights. This includes the process of how your organisation would remove personal or private data electronically following a repeatable format.
These individual rights under the GDPR are:
- subject access
- to have inaccuracies corrected,
- to have information erased,
- to prevent direct marketing,
- to prevent automated decision-making and profiling, and
- data portability
These rights indicated currently exist under the Data Protection Act 1998 but with additional improvements and reinforcements.
A new right introduced is one of data portability. This is an improved form of the need to provide data in a consistent electronic format in relation to subject access.
Subject Access requests (Individuals requesting access to their data)
Your organisation will need to amend and update all its processes and procedures in relation to handling subject access data requests. Under GDPR the processes have changed.
If an individual makes a subject request your organisation will not be able to charge consenting to a request and with have one month to comply. This currently stands at forty days.
If your organisation chooses to refuse a request it must have detailed processes and procedures in place to clearly demonstrate why the request has been refused. Furthermore, your organisation will need to supply more information to the individuals who are making the request. This will cover information on how long your organisation intends to retain that individual’s data. The individual will also have the right to ensure that the data regarding them is accurate.
An organisation holding large amounts of data will have to consider how it will intend to handle the logistics of managing the requests in relation to responses back to individuals.
The Legal basis for the processing of personal data (What are you doing and why are you doing it)
Your organisation needs to understand the various types of data processing it does and the establish the legal reasons for doing so. This should be fully documented in line with the GDPR accountability requirements.
Data controllers need to be able to clearly demonstrate that an individual gave consent in line with the GDPR. To that end your organisation needs to ensure that they have the right systems in place to clearly demonstrated without any ambiguity.
Your organisation needs to consider how it intends to put measures, procedures and processes in place to clearly verify an individual’s age and to collect parental consent for any data processing action.
The GDPR will be introducing significant protective measures for children’s personal information. A child in the UK will be defined as under the age of 13. Therefore, any personal data, pertaining to children, being collected by your organisation will require parental consent for that data to be lawfully used.
An important point here is that any consent must be verifiable and any privacy notices aimed at children must be written in language that children can fully understand without any ambiguity.
Your organisation must ensure that it has the correct procedures and processes in place to report a breach, investigate the breach and fully document the breach.
Failure to formally report a breach to the ICO (UK) can result in a fine as well as a fine for the actual breach.
Data Protection Impact Assessments and Data Protection by Design
Please refer to the ICO for guidance in these areas or work with a consultancy like ourselves to assist your organisation. www.thedpcs.com
Data Protection Officers
Your organisation should put into place a Data Protection Officer or a company such as the D.P.C.S (www.thedpcs.com) to take responsibility of all data protection and compliance matters. Ideally this role should be at a senior level and dependent on the size of the organisation at board level.
On the basis that your organisation works at an international level, your organisation should ensure that it fully understands what supervisory authority it comes under.
Q: What are the ongoing commitments and how will this evolve?
A: There are six key principles that underpin the GDPR:
- Personal data must be processed lawfully, fairly and transparently
- Personal data can only be collected for specified, explicit and legitimate purposes
- Personal data must be adequate, relevant, and limited to what is necessary for processing
- Personal data must be accurate and kept fully up to date
- Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing
- Personal data must be processed in a manner that ensures its security
Failure to comply with any of the above key principles will be considered a breach. It will be the sole responsibility of the Data Protection Officer and the Data Controller to ensure the above principles continue to be measured and evolve in relation to your company’s evolution.
Q: What additional advice are you able to offer?
A: GDPR is a terrifying prospect. It will have a significant impact on all organisations, how they gather data and how that data is organised. GDPR is backed with the very real threat of some substantial fines.
GDPR writes a business case for itself not meeting this regulation will cause not just reputational damage but loss of clients, loss of revenue, sanctions and a fine that can be up to 4% of a company’s annual worldwide turnover or €20m (whichever is higher).
This Regulation is not something that can be ignored with the hope of not being breached. It will become UK legislation despite BREXIT. Companies must therefore begin to put measures in place to comply with GDPR. A programme will be needed to implement GDPR.
Organisations that adhere to GDPR and can evidence it will have a greater advantage once GDPR becomes legislation in the UK.
For full details of Robert’s ‘How the New General Data Privacy Legislation (GDPR) Will Affect your Recruitment Processes‘ presentation and for details of our full agenda, click here.