Whilst it may still seem like some way off, the introduction of the new General Data Protection Regulations (GDPR) next May will have a significant impact on businesses across Europe and therefore it is essential that businesses begin to review, plan and improve their current processes for dealing with data.
All businesses throughout the UK will need to assess their current procedures, however for the recruitment industry in particular, due to the vast amount of data they hold for candidates and contractors, it is vital that they carry out the appropriate measures to ensure compliance with the new regulations.
What is GDPR?
GDPR encompasses the secure collection, storage and usage of an individual’s personal information in a much more stringent way than current regulations insist upon. A review of regulations, reporting and enforcement of data protection across European Union member states found significant inconsistencies, therefore GDPR has been outlined to ensure a clear and unified approach to data protection across the board. Brexit will not affect the implementation of these new regulations as it first applies to all businesses based within the EU, but also those businesses dealing with data from the EU.
The consequences of breaching new GDPR rules are also much stricter, incorporating a two tier system that will be enforced depending on the severity of the breach.
For breaches that have been deemed as putting highly important data at risk, businesses and organisations will be fined up to €20 million or 4% of global annual turnover, depending on which is greater.
For other breaches in data businesses and organisations could be fined up to €10 million or 2% of global annual turnover, depending on which is the greater.
It seems to be that fines will be at the discrepancy of the enforcing body and could have substantial consequences for businesses of all sizes.
Consent & data storage
There are many aspects that GDPR will cover that businesses need to look into, but the issues of consent and storage of personal data are two of the main points that GDPR will tackle.
Under the new regulations, businesses must be clearly asking an individual for consent to use their data. This will involve informing an individual of precisely what their data will be used for, as well as clear instructions on how they can withdraw consent at any time.
Assumed consent (i.e. automatically adding an individual’s data to a marketing list when they make an enquiry) is no longer acceptable under new regulations, and neither are pre-ticked opt-in boxes. Individuals must actively consent to businesses using their data for a particular purpose, if a business wishes to use data for multiple purposes then individual consent must be granted.
Agencies must also ensure their data is stored securely and keep a continual ‘paper trail’ of what data has been collected, when consent was granted, how data is stored and what the data is being used for.
As we have outlined, GDPR will mean significant changes for the processes of some recruitment agencies if they don’t already carry out strict data protection protocols currently. We urge all businesses to begin reviewing and planning how they can ensure compliance as early as possible.