The General Data Protection Regulation (GDPR) will come into effect across the EU on 25 May 2018. Post-Brexit the GDPR will continue to apply to any organisation based outside the EU that provides services within the EU.
So what are the most important changes?
The definition of personal data
Personal data is any data which relates to or identifies a living person. The GDPR will expand the definition of personal data to include both location data and biometric data.
The rights for individuals
The GDPR will enhance the control an individual has over their personal data. Organisations will have to have the individual’s express consent to process their data unless they can rely on an alternative legal basis (see below). Express consent means consent which is actively and freely given (no opt out boxes).
Additional rights for individuals include:
- The right to withdraw consent
- The right to request that any incorrect personal data is corrected (rectification)
- The right to request that their personal data is erased (the right ‘to be forgotten’)
- The right to data portability
The obligations on organisations
The GDPR will also impose new obligations on organisations:
- Organisations will need express consent to be able to process data. They will no longer be able to rely on pre-ticked or opt-out boxes. However organisations may also be able to rely on ‘legitimate interests’ and ‘necessary for the performance of a contract’ to process data, but these must be used only where appropriate. For recruiters, legitimate interest could be used to provide work-finding services generally but express consent would be required to transfer personal data to another party, such as an umbrella company.
- Some organisations will have to appoint a data protection officer (DPO) because of the nature and volume of personal data that they collect, eg significant amounts of sensitive personal data or because they are a public authority.
- Under the existing Data Protection Act individuals have the right to make a subject access request (SAR) to find out what data an organisation holds on them. Organisations can currently charge up to £10 per SAR and must respond within 40 days. However under the GDPR, organisations will no longer be able to charge for a SAR except where the individual makes repeated or unfounded SARs. They will also have to respond within one month, though this can be extended to two months where the request is particularly complex.
- Organisations will have to adhere to the accountability principle which means they will have to show how they are complying with the GDPR, ie that they have appropriate processes in place to inform individuals of their rights, manage requests to withdraw consent, or rectify or delete data when requested.
- The GDPR allows member states to apply appropriate sanctions for non-compliance including fines of up to 20 million Euros or four per cent of annual worldwide turnover (whichever is the highest) for the most serious breaches.
How the REC can help
The REC legal team have created a GDPR FAQ section and factsheet for members on our legal guide. The REC have also engaged with the Information Commissioner’s Office to develop recruitment specific guidance. We will continue to support members so that they are well prepared for the changes ahead.