Does your business currently process, store or otherwise handle information about its customers? If so, then it’s crucial that you clue up on GDPR and understand fully what your new responsibilities will be.
What is GDPR?
General Data Protection Regulation is a piece of legislation that will replace the current Data Protection Act 1998. GDPR is designed to update data protection in the UK, to give more protection to consumers and bring data protection regimes in line with the rest of the EU. Businesses are being advised to see it as a “step change” to existing data protection laws.
GDPR is set to come into effect on 25th May 2018, once it passes through the House of Commons and House of Lords to become law. There has also been a two-year preparation period to help businesses get ready for the changes.
Among others, the changes will include:
- Widening the definition of what constitutes ‘personal data’
- Tightening the rules for obtaining valid consent when it comes to using personal data
- Making it mandatory for organisations of certain sizes to have a designated Data Protection Officer
- Bringing in mandatory privacy impact assessments for data controllers when breach risks are deemed to be high
- A new requirement for notifying authorities of data breaches
- Introducing the right for an individual to be forgotten.
GDPR and recruitment
The new data protection regulations will affect all businesses and organisations, as well as vital processes such as recruitment. If you are currently recruiting or set to start the search for new talent in 2018, you will need to:
- Review policy on using data from jobs boards
- Amend contractual relationships with all parties with whom you share data
- Start discussions about ‘candidate ownership’ now
- Offer individuals wider access to the data you hold on them and erase data where it is no longer required, where consent is withdrawn or if data processing is unlawful
- Review data security and confidentiality– you may need to take measures such as pseudonymisation or encryption, new data backup and restoration procedures and regularly testing of the effectiveness of your security measures.
How can I prepare?
Luckily for businesses, there is plenty of guidance available from the Information Commissioner’s Office (ICO) to help them on the road to full GDPR compliance in time for the May 2018 deadline. The Association of Professional Staffing Companies has also produced this handy list of key points to start you thinking along the right lines:
- Review policies and procedures
- Be accountable for your data cycle
- Name a dedicated person responsible for data protection
- Be transparent with your policies
- Justify the use of obtaining data through consent
- Respect the individual’s right to be forgotten
- Work with your suppliers and partners on GDPR compliance.