The processing of personal data is part and parcel of recruitment. Recruiters process candidate and client data on a daily basis. Therefore, it’s essential that recruiters get to grips with the new EU General Data Protection Regulation which will come into effect from 25 May 2018.
Data protection law has been around for many years. The first Data Protection Act (DPA) in the UK was introduced in 1984. This was subsequently replaced by the 1998 Act. So, how much of the GDPR is actually new? How does the GDPR compare to the Data Protection Act (1998)? What are the similarities and differences? We outline the key areas of change below.
1. Personal data - enhanced
The GDPR will enhance the definition of personal data as it will now also include identification numbers, location data and online identifiers to reflect technological advances in society.
2. Sensitive personal data - enhanced
The GDPR will now include genetic and biometric data and will omit criminal convictions and offences from its definition of sensitive personal data.
3. Subject Access Requests – changed
The rules around Subject Access Requests (SARs) will change in the GDPR. The GDPR will remove the fee that is chargeable under the DPA and will reduce the time limit during which a business must respond to a request to one month, down from the 40 days currently available under the DPA.
4. Right to data portability – new
The right to data portability will be a completely new right under the GDPR, allowing individuals to receive their personal data in an organised, machine-readable format.
5. Right to erasure – changed
The GDPR will explicitly outline the right to erasure and will no longer require individuals to prove that the processing of their personal data caused them substantial damage or distress, which is currently a requirement under the DPA.
6. Record-keeping requirements – new
The GDPR will place a new obligation on organisations to maintain internal records of all data processing activities.
7. Accountability principle – new
The GDPR will introduce a new ‘accountability principle’ in an effort to increase accountability and effective governance in data processing.
8. Data protection by design and by default – new
The GDPR will encourage a ‘privacy by design’ approach to data protection known as data protection by design and by default. This will require organisations to adopt measures that adhere to GDPR data protection principles such as data minimisation and pseudonymisation.
9. Data protection officer – new
The GDPR will create a new obligation for some organisations to appoint a data protection officer who will be responsible for ensuring the organisation’s compliance with the GDPR.
10. Penalties – enhanced
The GDPR will levy higher fines than the DPA. Monetary fines will increase to €20 million or 4% of the annual global turnover of the previous financial year (whichever is higher).
What is the REC currently doing?
We have created a GDPR hub for members. It includes FAQs, factsheets, guides and webinars developed by our legal team. We are also in discussions with the Information Commissioner’s Office to develop recruitment specific guidance for our members. We will be releasing this in the coming weeks.
In addition, we are running a series of GDPR seminars this autumn, which will provide you with a detailed understanding of the GDPR and the business critical steps you need to take to fully prepare. You can book a place on our events page.