The regulation applies if the data controller, processor (organisation), or the data subject (person) is based in the EU. In addition, and unlike the current directive, GDPR also applies to organisations based outside the EU if they process personal data of EU residents.
The European Commission said, "Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer's IP address". Personal data is not specifically defined by the legislation - regional differences need to be accounted for. For example, what is considered personal data in the UK may not be considered such in France.
If you store data about people, you are responsible for its safe keeping and security as well as ensuring the right people have access to it. You also need to apply the necessary control over how you share this information with others. It's now that you should evaluate what data you need to collect for recruitment and what data you need to cleanse.
Key elements that will affect your recruitment process:
- Rights for individuals under GDPR will include: having subject access, inaccuracies corrected and information erased.
- Individuals have the right to not be subject to a decision that is based on automated processes unless you have their explicit consent. They have the right to appeal these decisions. If you use automation in any part of the recruitment process, you must seek consent and be transparent about what you are doing and the criteria they are applying.
- Your privacy policies will need to be updated to incorporate the new things you need to tell people such as your legal basis for processing their data.
So, what do you need to do?
1 - Be accountable - take responsibility for your data cycle.
2 - Review your existing policies and procedures.
3 - Justify the use of obtaining data through consent.
4 - Make your policies and privacy notices transparent.
5 - Respect the right to be forgotten.
6 - Work with your suppliers and partners and see what they can do to make you compliant.
7 - Make someone responsible for data protection.
What happens if you are breached?
Article 31 of the GDPR states, "In the case of a personal data breach, data controllers shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority […] unless the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons/[individuals]".
The definition of a data breach is something that causes harm to people because their personal details are compromised. It does not necessarily mean harming the integrity of the business or loss of finances.
At Giant screening, we offer you the very best technology and operational support to deliver pre-employment screening and background checking. Why? To enhance your business – from candidate on-boarding through to lasting brand success. We're here to ensure that your candidate's experience is positive, your organisation is protected, and the time to hire is simply right.
If you want to focus more time on your core business and have excellent support on your background checking requirements, contact us today. For a free consultation to review your current processes, email firstname.lastname@example.org
or call 020 7167 4554