General Data Protection Regulation (GDPR) is on its way. A new piece of EU legislation, GDPR will be introduced on 25th May 2018 and applies to all. It will replace the current Data Protection Act (DPA) and seeks to unify data regulations within the EU whilst giving people greater control over their personal information. Even though GDPR is an EU initiative, Brexit will not affect its introduction in the UK.

If you store data about people, you are responsible for its safekeeping and security as well as ensuring the right people have access to it. You also need to apply the necessary control over how you share this information with others. It is now that you should evaluate what data you need to collect for recruitment and what data you need to cleanse.

Key elements that will affect your recruitment process:

  • Rights for individuals under the GDPR will include: having subject access, inaccuracies corrected and information erased.
  • Individuals have the right to not be subject to a decision that is based on automated processes unless you have their explicit consent. They have the right to appeal these decisions. If you use automation in any part of the recruitment process you must seek consent and be transparent about what you are doing and the criteria they are applying.
  • Your privacy policies will need to be updated to incorporate the new things you need to tell people such as your legal basis for processing their data.

So, what do you need to do?

1.         Be accountable – take responsibility for your data cycle.

2.         Review your existing policies and procedures.

3.         Justify the use of obtaining data through consent.

4.         Make your policies and privacy notices transparent.

5.         Respect the right to be forgotten.

6.         Work with your suppliers and partners and see what they can do to make you compliant.

7.         Make someone responsible for data protection.

What happens if you are breached?

Article 31 of the GDPR states, “In the case of a personal data breach 1, data controllers shall without undue delay and where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority unless the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons/individuals”.

The definition of a data breach is something that causes harm to people because their personal details are compromised. It does not necessarily mean harming the integrity of the business or loss of finances.

Matt Armstrong, Managing Director, Giant Group

Practical HR and Giant Screening work in Partnership to bring clients the very best in employment screening and on-boarding. 

For more information on GDPR FROM PRACTICAL HR, please call 01702 216573.