The General Data Protection Regulation (GDPR) 

It is on its way...a new piece of EU legislation, GDPR will be introduced on 25th May 2018 and applies to all.

It will replace the current Data Protection Act (DPA) and seeks to unify data regulations within the EU whilst giving people greater control over their personal information.

Even though GDPR is an EU initiative, Brexit will not affect its introduction in the UK.

What is personal data?

The European Commission states that Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer's IP address.

The upcoming GDPR requirements present some significant challenges for recruitment agencies for example:

• Every new candidate must expressly give consent to your agency's terms of use so no more auto opt in
• You need consent before you can use candidate data for anything e.g. pass this information to a 3rd party (your clients)
• You need to keep documented proof of this consent and any subsequent consent provided to share candidates' details with a 3rd party
• Any candidate can request to be forgotten, removed, or even deleted so working out a workflow to enable them to do so is going to be key
• Email and SMS marketing must be opted in to by the candidate and you must be transparent about how and when they did this
• If you store data about people, you are responsible for its safe keeping and security as well as ensuring the right people have access to it.

What should we do:

• Be accountable - take responsibility for your data cycle
• Review your existing policies and procedures
• Justify the use of obtaining data through consent
• Make your policies and privacy notices transparent
• Respect the right to be forgotten
• Work with your suppliers and partners and see what they can do to make you compliant
• Make someone responsible for data protection

What happens if you are breached?

The definition of a data breach is something that causes harm to people because their personal details are compromised. It does not necessarily mean harming the integrity of the business or loss of finances.

In the case of a personal data breach, data controllers shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority unless the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons/individuals.

As this applies to any business I would urge you to speak to all your suppliers and clients to ensure that you have everything in place as the clock is ticking to make sure that you are compliant.