On the 25th May the new EU General Data Protection Regulation (GDPR) came into effect, replacing the previous regulations set out in the Data Protection Act 1998. Companies now need to be able to demonstrate consent and a valid legal basis for any personal data that we hold. On top of this, there are new responsibilities around accountability, and individuals have had their rights enshrined – including the right to be informed about the collection of their personal data, to have access to their data and to have personal data erased.
AT A GLANCE
The GDPR is an EU law, so it applies to any organisation that processes the data of EU residents. Any organisation found to be non-compliant with the regulations will be subject to a hefty fine and an inevitable reputational blow. UK companies will have to comply with GDPR even after Britain has formally left the EU, as it was confirmed last year in the Queen’s Speech that the regulation will continue to form part of UK law following Brexit.
GDPR applies to both electronically stored personal data, as well as any manual filing systems. The processing and storage of data is an essential aspect of our business and the wider industry that we operate in, and the new legislation will have fundamental effects on our right to hold and use this data.
SUBJECTS, CONTROLLERS AND PROCESSORS
The GDPR makes reference to three categories that will be relevant to our organisation:
Data subjects – job candidates are data subjects because we hold identifiable information about them: their names, addresses, email and phone numbers are all examples of this type of information.
Data controllers – employers and recruiters are data controllers as it is they who are responsible for the collection of candidate data. Under GDPR, data controllers are held accountable for the protection and lawful use of this data.
Data processors – we act as data processors whenever our processing activities are carried out according to the instructions of a third party. It is entirely possible to act as both a data processor and a data controller at different times, depending on the task that is being completed, so it is vital to understand the distinction between the two and which role is being performed at any given time.
It is clear to see that GDPR has major implications for the recruitment industry. In order to demonstrate compliance, we now need to keep records of the data we process, how this processing is undertaken, where our databases are located and how long data is retained for.
As the new regulation is so comprehensive, we have worked tirelessly to ensure that GDPR compliance has become an ingrained part of the culture here at Mainline. All of the correct systems and frameworks have been put in place to allow for this, and our work has been checked meticulously. Further to this, our employees have undergone extensive training to ensure that they fully understand their new responsibilities, and we will continue to go above and beyond what is required to remain in line with the new legislation.