- Graham Hansen
Graham Hansen, Associate in HRC Law’s Commercial team, knows next year’s data protection changes will impact all sectors.
Some industries, however, may have more to consider when it comes to ensuring they’re compliant for next year. Here he explains more and gives recruiters three areas to focus on now to ready themselves.
The General Data Protection Regulations (the GDPR) come into force on 25 May 2018. You’ll have to make some important changes to the way you deal with personal data in your business. Some of these will take time to implement, so, if you haven’t already, you should start preparing now. I’d suggest starting with the areas below.
You can’t pretend it isn’t going to happen. Make sure someone within your organisation understands what will change and has responsibility (and power) to ensure that your business is compliant in time. GDPR will impact on different businesses in different ways. Whoever is internally responsible for compliance should know enough about how your business operates to spot bespoke problem areas. The use of job boards or the sharing of candidate information and CVs will need consideration by recruiters.
There’s lots of information on GDPR. The Information Commissioner’s Office’s website is a great place to begin. If you have questions, get answers quickly. Many service providers, like ourselves, offer training on GDPR. Use these and other opportunities, to learn as much as you can.
Have a discussion around whether you need to appoint a data protection officer. If you need somebody in this role, you will need to consider where they will sit within the business and how you’ll ensure their independence and involvement in governance. One thing is for certain; someone will need to be identified as the individual responsible for GDPR compliance.
- Don’t reinvent the wheel
GDPR will have bigger and sharper teeth than its predecessor, with:
- Substantial penalties for non-compliance including fines of up to 4% of annual worldwide turnover or 20 million euros for the worst violations;
- Obligations (and potential liability) for data processors as well as data controllers, meaning the net will be spread wider;
- More mandatory provisions (including a mandatory obligation to report breaches, and a requirement for a data protection officer, in many cases), meaning less ‘wriggle room’ to escape liability;
- Extension of rights for individuals, including new rights to be ‘forgotten’, to object to processing and to bring claims; and
- Stricter requirements when obtaining consent for processing and storing data.
The good news is that the new legislation builds on many of the concepts and principles used in the current legislation. If you comply with data protection laws now, you’ll have firm foundations to build on. If you don’t, then it’s high time to get your foundations in place.
Central to this will be a document review focusing: (i) internally on existing data handling policies and staff training; and (ii) externally on customer-facing terms and privacy policies, as well as contracts with any third party with whom you share data.
- Carry out an information audit
Look at how your business uses personal information and what your record keeping looks like. This will help you to highlight problem areas and to prioritise when and where to focus your initial energies.
At a minimum, you need to know: what personal data you hold; where it came from; and who you share it with. You should also consider which lawful basis you rely upon when processing data (e.g. do you have a candidate’s consent to share their data?).
Within this, you should consider your organisation’s technology measures and processes. It may be worth storing pseudonymised data whereby an individual could not be identified by the data stored for enhanced security. This may not always be practical within recruitment. Recording is key and the creation of a running log to capture the basis and duration of processing.
Obtaining effective consent will be harder under GDPR (e.g. using ‘pre-ticked’ boxes to obtain candidates’ consent wouldn’t wash from next May). Instead, you’ll have to demonstrate consent is clearly and freely agreed on an informed basis. And that it must be as easy for a candidate to withdraw consent if they choose. It may be worth reviewing and updating the consents you currently hold for your candidate database.
You will need to ensure clear obligations are contained in contracts with third parties when data is shared, as well as detailing how liability will be apportioned. This could be with clients, jobs boards and subcontractors where you are the controller. It will also be worth reviewing the data protection clauses and provision of information to employees within employment contracts.
Once you’ve carried out your data audit, draft an action plan. Target areas that will most impact on your business (or take longest to implement, like contractual re-negotiations). With only seven months to go, the end goal is to ensure that by next May, you and your business will be GDPR ready.
Graham Hansen is Associate in HRC Law’s Commercial team