Are recruitment companies prepared for new EU data regulations?
By Catherine McFarland • 14 Oct 2014
According to new *research, three out of five organisations have not taken measures to comply with the new EU General Data Protection Regulation (GDPR). With data breach sanctions and in-depth auditing on the cards, here’s what recruitment companies need to be doing to take control of their data cycle.
What is the EU data protection regulation?
Drafted by the European Commission, the General Data Protection Regulation replaces the previous Data Protection Directive, a legal framework that has struggled to keep up with today’s world of mass information sharing.
The aim of the European Data Protection Regulation is to attune the current data protection laws already in place across all the EU member states. And because it is a ‘regulation’ rather than a ‘directive’, it applies directly to all member states, without them having to implement their own, national legislation. A bit of a legal ‘one-stop shop’, if you like.
The GDPR is due for implementation in 2015, although some say this could slip to 2017. Common consensus, however, is that you’ll need this time to get it right. So - if you haven’t already – to be in line with data protection regulations by 2017, now is the time to act.
Broadly, here’s what you need to do.
How to prepare for the new EU data protection rules
1. Be accountable – take responsibility for your data cycle
Establish a culture that minimises data processing and data retention. Monitor, review and assess your data processing procedures, so they are auditable and any issues are addressed. The recruitment industry is heavily reliant on data so you can lower your business risk by limiting employee access to data on a ‘need to know’ / ‘need to use’ basis. Do this by setting up authorisation, copying and encryption rules.
2. Review your existing policies and procedures
To comply with auditing requirements, you need to prove that you have established appropriate standards and policies throughout your business. So you need to document your data processing operations. The GDPR requires a commitment from data controllers (most likely the business owners/directors) and **processors (employees), for the maintenance and implementation of this data processing documentation. And it needs to be made available on request. Procedures also need to be set up so you can report data security breaches to the regulator in time. Under the new proposal, any data controller must notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware they have suffered a data breach.
3. If you rely on obtaining consent for data can you justify its use?
Companies don’t always need to obtain a person’s consent for them to process their data, but if you do you should make sure that your documents and forms of consent are adequate. Check that consents are freely given, specific and informed. If questioned, it’s you who has to bear the burden of proof.
If you use personal data for direct marketing, for example, it will be necessary to offer a very clear right for the data subject to object to processing.
4. Make your policies and privacy notices transparent
Whether or not you rely on consent, unless an exemption applies, you will need to inform data subjects of its processing of their data. Policies need to be transparent and easily accessible, so you need to provide information clearly, in simple language.
5. Respect the right to be forgotten
In theory, the new regulation gives an individual the right to demand that you erase records of their personal information. However, this right to be forgotten will only apply where there is no legitimate reason for you to retain the data. Again, it’s your burden of proof.
Check out this blog on the risks and rewards of the new data protection rules when your Bring Your Own Device (BYOD) into the working environment: “BYOD and the Data Protection Act”.
*Research by Kroll Ontrack and Blancco
** For the first time, there are now direct statutory obligations on the part of anyone who processes services they provide to customers. So they, too, will need to maintain appropriate documentation, for example.
Share this post