The EU General Data Protection Regulation (GDPR) is the result of four years of work to bring data protection legislation in line with new ways that data is used.
Designed to unify privacy laws across Europe, the GDPR sets out to give individuals better data privacy rights. It places a greater degree of control over personal data in the hands of the individual.
You must protect the candidate data you hold.
Personal details such as candidate names, addresses, passport details and bank account information are commonplace in all agency systems, which means that you must take measures to protect this data.
You must restrict access to candidate data to specified personnel within your business.
If, for example, you use spreadsheets to export candidate data, you’re potentially risking a data breach. Even a printed CV left in a desk drawer that identifies a candidate would be considered a data breach.
Before collecting data, you must tell the candidate who you are, how their personal data will be processed and whether a third party will be involved.
Candidate consent is usually obtained via a fair processing notice when you collect the data, which can take different forms depending on the method used to collect the data, including verbally over the phone, on a printed form or CCTV notice.
Within the GDPR framework, candidates can make subject access request (SARs) at any time - ie request to see their data.
As well as the right to review their personal data, candidates have the right to modify their data, the right to be forgotten (RTBF) and the right to request their data be made available in a format they can use.
If there is a data breach, you must inform the supervisory authority and, in certain circumstances, the candidate.
Clear protocols must be set out to notify you, any third parties the data was supplied to, as well as the required authorities, of any data breach within 72 hours of the data controller becoming aware of a breach.
Failure to comply with the GDPR will result in harsh financial penalties.
The GDPR enables fines of up to 4 percent of annual global turnover, which apply both to data controllers and data processors. For a small business this could be catastrophic.
Processed lawfully, fairly and transparently
You must obtain consent to process personal data. When collecting personal data, you should also tell the data subject who you are, how the data will be processed and if the data will be disclosed to any other parties.
Collected for specified, explicit and legitimate purposes
You must only collect personal data for legitimate and specific reasons, and you must inform the data subject of these reasons.
Adequate, relevant and limited to what is necessary for processing
You should not collect more personal data than you need to meet your processing requirements.
Accurate and kept up to date
You must take reasonable steps to ensure personal data is accurate and kept up to date. This includes amending or deleting inaccurate personal data, or when a candidate informs you of any changes.
Kept in a form that allows the identification of data subjects only as long as necessary for processing
Your organisation should have a data retention policy that identifies when and how particular records may be destroyed.
Processed in a manner that ensures its security
Using appropriate technical and organisational measures, personal data must be kept secure to protect against unauthorised or unlawful processing and prevent accidental loss, damage or destruction.