The deadline has come and gone

The deadline for GDPR implementation has come and gone. A firmly fixed date in the minds of all businesses was 25 May 2018 –  the legislation implementation date set by Information Commissioners Office (ICO). In the run up to this date our personal email accounts were heavily laden with emails from many companies; ones that we probably remember having dealings with and others we may find hard to believe that they still have our contact details dating back to many years prior.

All companies have likely adjusted their privacy policy, have opt in and opt out options, changed access rights and thoroughly purged their data base with a total cleansing. This is a vast simplification in what we know has consumed many hours of time from lawyers, managers, administrators and many others all around the country.

It’s about getting it right not huge fines

Dizzying fines of up to 20 million Euros or 4% of global annual turnover (which ever is higher) are outlined in the legislation for organisations that fail to adhere to GDPR or that suffer a data breach. However, the reality is that ICO are seemingly more interested in helping companies get it right, rather than impose huge fines and tie themselves up in costly disputes and court cases. The key factors as far as we can see are the intention to comply and every reasonable step being taken to comply, so personal data must be stored securely and only used for an appropriate reason which has been authorised by the data subject. 

For us Recruiters it seems this would require a need to demonstrate that we are using people’s data appropriately and fairly. Gareth Cameron from ICO has stated that ‘As the digital space has matured in the last 20 years, so has the need for recruiters to mature their data collection and processing transparency”. He goes on to say “fundamentally, it’s about regulation trying to aid growth. Trust and confidence is crucial, and transparency and accountability are key”.

Gareth Cameron’s top 5 – A Recap

(1) Understand what is going on in your business.

(2) Understand what information you have, what you’re holding, and your storage / processing policies.

(3) Communicate to your subjects (candidates and clients).

(4) Understand your legal justification for processing others’ data.

(5) Do you transfer data overseas? If so, research what the recipients of that data have as their policies and procedures.

All eyes are on the ICO to understand how the new regulations will operate post the GDRP implementation deadline. It has been speculated that the ICO fines implemented previously have been conservative in nature, though we wait and see if this is the case going forwards. Elizabeth Denham, the Information Commissioner has indicated that infringements in any areas previously covered by the Data Protection Act 1998 would be viewed dimly and that a grace period were unlikely to be given as businesses have had a long time to prepare.

Making sure you are continuing to be GDPR compliant

In summary GDPR is here and you need to work with it by understanding what, why and how you are using candidate and client data when recruiting. If you aren’t doing this then fix it fast! If you have already addressed things make sure you continue to assess and understand how data is used in your business with a focus on being transparent and accountable for the data you hold so candidates and clients can be confident in your services and how their data is stored and used.