GDPR — Apocalypse or damp squib?
Much like Winter in Game of Thrones, people are saying in ominous voices ‘GDPR is coming’. If you are not aware of what that means, we are talking about the General Data Protection Regulation (GDPR) which will replace the current Data Protection Act in May 2018, and it is a big shift in the way we handle data in recruitment.
In fact, it is fair to say that the impact of GDPR is going to affect almost every business in the UK in some way. We don’t really have space in this article to go into all the ins and outs of how the new regulations will affect the storage and use of data, but at the heart of the new legislation are some pretty simple rules.
At this point, we should say that we are not professional advisors on the implementation of the rules, and the following is just our attempt to simplify a very complex area, so please do make sure you understand how the rules work in relation to your own situation.
Accountability and Ownership
Firstly, the core of the new regulation can be thought of as being about accountability and ownership. The accountability of being able to show that you are doing everything possible to collect data in the right way and keep it safe. Furthermore, if a data breach occurs, you will need to report the breach and what information has been lost, within a reasonable time. Under the DPA there was no such requirement.
As far as ownership goes, essentially, the owner of the data, the individual themselves, must be in control of how and why that data is used and also have the right to have it deleted or corrected as they wish. Right to be forgotten means that anyone storing data will need to totally delete it if the owner so requests.
Everyone who stores and uses data that is considered personal information will need to have new, stricter reporting in place which will need to be available for inspection if requested. For a recruiter, this is quite a lot of information to account for because we will hold the history and current details of potentially thousands of candidates and clients. What this means is that over the coming months there are going to be a lot of instances where we are all going to need to agree to specific use of our information.
Specific use is another key point of GDPR. When it comes to stored data, the owner will need to have clearly agreed to how that data is to be used, and it cannot be used for anything else. So we are all going to need to be very clear about how we will use the information we gather and general statements about marketing and so forth are no longer going to be enough. One thing we will almost certainly see disappear is the ‘click to opt out’ style agreement which is unlikely to be enough because the new regulations are pointing to specific consent as the bottom line of agreement. So ‘click here if you do not want to be part of…’ style of assumed consent will be very difficult to justify.
Brexit is unlikely to make a difference
GDPR is a European wide law and simply having representation in a particular country is enough that it will apply. Brexit is unlikely to make a difference because the law becomes active well in advance of any final say on leaving. As of writing this, there are already plans in place to shift the law to an even stronger one post-EU membership which will potentially extend the legislation into social media. For some less organised or unscrupulous companies, the new rules could well be a real problem because the potential fines could be huge.
Here at Jobwise, we have always been very aware of how we handle your data and what we use it for, so right now, apart from the odd adjustment of procedure and paperwork here and there, the GDPR change will be small change for us. For a business that has not already considered its data policy, the new rules could be a pretty big shakeup though and some may even struggle to stay in business altogether.