GDPR - Are You Ready?
The new General Data Protection Regulation (GDPR) came into force on 28 May 2018 and is one of the most robust and powerful set of data laws introduced in the European Union, giving new rights to:
- Employees that want their personal data destroyed
- Employees that want the right to be forgotten and have their consent withdrawn
- Employers to receive support to manage their data more securely
- The Information Commissioner to defend their consumer interests and issue fines
- Individuals who want to request personal data an organisation holds on them
- Customers to be able to transfer their personal data from one service provider to another
The new changes and rights gives candidates, employees and clients more control of how their data is used or kept. It pushes businesses and employers to store data carefully with the possibility of being penalised if data is misused, despite whether it was intentional or by accident.
Large corporate organisations, businesses, HR departments and recruitment agencies such as SRGEurope that process personal data daily, is required to have formal consent beforehand to hold that individual’s data. If data is being held, the individual can also request the right to be forgotten and their data erased.
Personal data takes many forms including internet cookies, IP addresses and DNA. As an online recruitment agency, SRGEurope takes every step to ensure that we comply fully with the GDPR.
As a recruitment agency, we’re already well adjusted to how we protect our candidate’s and employee’s personal data. However, the GDPR has brought in significant changes in how we manage consent to obtain and process data, data rights, subject access rights and breach reporting.
Managing Consent To Process Data
Previously, consent to obtain data would have been outlined in a contract clause. Under the new regulations, consent has to be given in a more informed and defined way. How will a candidates data be used? Subjects will also be able to access their information whenever they want.
New Rights As Data Subjects
With employees and agency workers having more say over what happens to their personal data, they also have the right to have their data corrected or blocked. They can even request the return of their data to reuse it to apply for a new role elsewhere.
Subject Access Rights
The right for subject access requests also apply, where an individual can ask for more information if they need it. Employers will have 40 days to provide the requested information.
Any complex requests can be replied to within an extended timeframe of two months, in order to comply properly with the information requested. The agency worker or candidate must be informed within one month of the request why the extension is needed.
New breach reporting processes needs to be adhered to by any individuals responsible for processing data within an organisation.
Any breach of personal data that occurs within an organisation must be reported to the Information Commissioner within 72 hours. If this is not possible, there must be a valid reason why the breach was not reported.
Examples of a breach of data could include:
- An email sent to the wrong recipient
- A lost laptop or mobile phone
- Stolen files
The breach only needs to be reported if it poses a risk to personal data.
With the initial proposal for GDPR released in 2013, it was formally adopted in the EU in 2016, with member states having two years to roll it out by May 2018.