Menu
The British Institute of Recruiters

The Essential Recruiters Guide to GDPR

1. Why has GDPR been introduced?

There are several reasons;

  • Data Protection laws across Europe are not new, they have been around in their current form in the UK for 20 years.
  • The current EU Data Protection Directive 95/46/EC was covered in the UK by the UK Data Protection Act (1998).
  • The current Directive however was not consistently applied across Europe and needed updating and enhancing in line with technical advances over the past 20 years – i.e. social media, big data, profiling & personalisation, and so on.
  • Improved protection was identified as required against the charter of fundamental individual’s rights, the regulation focus is about enhancing the rights of individuals (referred to as data subjects) by organisations that control and process personal data.
  • The new GDPR (EU) 2016/679, (noting its an EU regulation, not a directive this time) was passed in 2016 (2 years ago so we could get ready) and comes into force across the European Union on 25th May, 2018 repealing the EU Directive and the UK DPA.
  • BREXIT - The Great Repeal Bill (includes GDPR) and as a fall back a new UK Data Protection act are both going through the parliamentary legislative process so GDPR or a new DPA will be in place post Brexit. UK Gross Domestic Product (GDP) relies heavily on data processing activities and this is to protect UK business and its Crown Dependencies in doing trade with Europe.

    2. Which businesses does it apply to?
     
  • All organisations private, public, charities, not for profit, local and central government.
  • There are no exemptions AS SUCH for smaller organisations.
  • Certain aspects of Special Categories of Data or High Volumes of Data come with higher obligations due to the related risks associated with the complexity around data processing. THIS COULD BE RELEVANT REGARDLESS OF ORGANISATIONAL SIZE.
  • Organisations that operate as affiliates collaboratively with other organisations, also need to consider how the control and processing of customer data is managed and shared under GDPR across affiliate but independent organisations.

    3. What are the top main changes to data management with GDPR?
     
  • The top changes are enhancements to the Data Protection Act (2018). Being familiar with current legislation helps in better understanding the change-impact, which is more significant for organisations that haven’t adopted the Data Protection Act.
  • Responsibility is at the most senior management level in organisation. Company Directors and Boards are being asked to recognise this and take note to raise awareness and adoption across their own organisations.

    DATA SUBJECT
  • Individuals rights greatly enhanced to be informed. The right to;
    - informed
    - rectification,
    - right to erasure (be forgotten),
    - accuracy,
    - restrict processing,
    - data portability,
    - object
    - not to be subjected to automated decision making including profiling is being used.

    DATA CONTROLLER & THIRD PARTY (RECRUITERS)
  • Information you hold – New types IP addresses, cookies, biometrics, genetics, CCTV (public monitoring), voice, physical records not just digital.
  • The Special Categories of data will require more security rigour around access, anonymisation, encryption, retention, separation.
  • Communicating privacy policy – what you tell data subjects enhanced.
  • Subject Access Requests (SAR’s) – In GDPR SAR’s are Free, previously chargeable. SAR’s response times quicker, need to be responded to in 1 month, was 40 days. Many organisations may not currently have the capability to handle SAR’s.
  • Lawful Basis for processing data – document to meet accountability principles and advised through privacy type notices.
  • Consent - required to be affirmative
  • Children – new specific safeguards
  • Data Breaches – mandatory reporting within 72 hours (its not limited)

    DATA PROCESSOR & SUB-PROCESSOR / CLOUD PROVIDERS
  • New is that processors have enhanced data protection accountability, must maintain records of processing activities.
  • Processors have direct security by design and default obligations.
  • Inform data controllers of data breaches.
  • Conduct risk assessments when designing and offering services
  • Controllers must carry out due diligence i.e. where is the data being held and processed, especially if a cloud service.
  • Flow down of contractual obligations controller to processor and sub-processor – must obtain prior approval of changes.
  • International Transfers apply directly to processors – GDPR protects EU Data Subjects data wherever controlled or processed
  • The US Privacy Shield currently ONLY aligns with the Old UK DPA (1998) Regulation not GDPR – Look for a UK or European alternative or place contractual obligations on the vendors – Currently no ICO guidance on using US Privacy Shield companies for UK SME Organisations.

    APPROPRIATE SECURITY OF DATA
  • Data Protection by design – extensive and more responsibility on processors. Impact assessments required on new technologies / processes where there is high processing risk.
  • Organisations need to consider all aspects of security, not make the mistake of believing GDPR is an IT Management problem – its not
  • Data Security includes people, processes, systems and technologies and constant awareness, training and vulnerability testing.

    UK INFORMATION COMMISSIONERS OFFICE
  • Currently no obligation to report a breach, although ICO guidance recommends serious breaches brought to their attention. The GDPR requires breaches of personal data to be reported and in some instances to the data subjects impacted.
  • Breach Notification has a big impact on data controllers in both private and public sector.
  • Data Protection Officer – Mandatory regardless of organisational size for (1) public Sector; (2) Systematic Monitoring; (3) types of large scale processing. There is the provision to voluntarily appoint a DPO.
  • The Supervisory Authority in the UK is he ICO, has much broader powers to audit the controller, issue warnings and place a temporary or permanent ban on processing. Maximum Fines €20m or 4% Global Turnover, whichever highest. Under the Data Protection Act (1998) it’s a Max £500k.
  • Individuals can sue data controllers to recover material and non-material damage.
  • Organisations that ignore the regulation can expect class actions, social media campaigns and PPI type claims behaviour.

    DATA DESTRUCTION
  • Key are retention policies for all types and categories of personal data
  • Minimise data retention and ensure policies are tested and audited.

    GDPR

    4. How do we deal with existing mailing lists we have, can we mailout to existing customers as normal?
     
  • If normal means previously obtaining consent by using pre-ticket boxes, auto-enrolment relying on opt-out, silence or inactivity as a means of obtaining consent. Then the regulation impacts this type of consent and the validity of the data held on existing lists.
  • The regulator provided two years lead up for organisations to resolve this and other foreseeable consent problems with mailing lists.
  • The regulation is quite clear in that ‘Consent should be a clear affirmative act establishing a freely given, specific, informed and unambiguous indication to the processing of an individual’s personal data (written, electronic or verbal)’.
  • An empty tick-box option for a specific use/service with clear statements around privacy rights is now required to obtain consent as a means for lawful processing.

    5. How do we add contact details to mailing lists going forward?
     
  • Lawfulness of processing is a pre-requisite to assess before adding new contacts.
  • Legitimate Interests can be considered instead of consent, but legitimate interests beyond the use of external regulatory requirements can be problematic to justify.
  • Examples: (1) retention of employee related data is achievable under legitimate interests during employment. (2) Obtaining and the retaining a CV and other details of a failed candidate beyond 6 months, for post applicant litigation reasons, is not a legitimate reason to retain any longer and will resolve subject access requests quickly with a clear retention and deletion policy.

    6. How do we manage customer data we hold in databases?
     
  • The lawful basis for holding existing personal data and basis by which new personal data is obtained should be assessed against the regulation i.e. Data Protection or Privacy Impact Assessment.
  • The type of data and its retention period should be justifiable from the perspective of the data subject, not the organisations.
  • Clear policies around the lawful purpose and accountability for the data you hold, who has access, the classification, retention and deletion policies are all important aspects. Following ICO recognised codes of practice and becoming GDPR certification (when available) will become the new normal in protecting organisational reputation.

    7. Can we email monthly newsletters?
     
  • Yes provided you have a lawful basis for the control and processing of the data used in newsletters.

    8. What constitutes permission to add someone to my mailing list?
     
  • Consent has already been covered in Q3 through to Q6 – lawful processing and consent.

    9. Do we have to notify people when we are adding them to our database and tell them under what basis e.g. legitimate interest? Is there a time limit to do this by?
     
  • The data subject should be aware of the lawfulness of processing reason as well as who is controlling or processing their data and its purpose.
  • Retention period needs to be defined and in consideration of the privacy rights of the data subject, not the organisation in terms of being fair, lawful and proportionate to its use.

    10. Do we have to notify people whose details we already have that we have them and why.
     
  • Provided reasons for lawful processing already meet the new regulation requirements then no.
  • If they don’t then it needs to be assessed on a case by case basis and in more complex situations supported by a Data Protection Impact Assessment.

    11. If we do have to notify new contacts we are adding by phone (as you don't have their email address), can you keep their data until you do get hold of them?
     
  • It’s all personal data so the same rules apply around lawfulness of processing and the rights of individuals.

    12. If you've informed someone by email & there's no response from them - can you assume that we can keep data because we haven't heard from them?
     
  • Under GDPR, SILENCE does not qualify as consent.

    13. For all the people that we don't hear from, can we still keep their data for an appropriate length of time?
     
  • If consent is your lawful means of processing, then SILENCE is not consent and its not justifiable to retain data.
  • To avoid organisations missus, QUARANTINE this data from operational and schedule its destruction date.
  • There is no value in retained data that’s;
    - out of data
    - which the data subject doesn’t consent
    - it can attract unnecessary and unwanted ICO attention through complaints.

    14. I asked this with reference to complying with the rule to notify people within 30 days that you have their data. Response from ICO helpline for both was that they are not aware of any30 day rule regarding this!!...They asked...Where are you sourcing your data from? I said it may be a business referral and they said that as long as it's fair to process and satisfies your legal basis for processing data - that's fine.
     
  • The ICO response conflicts with the regulation, so perhaps they misunderstood the question.
  • The 30 day or 1 month rule is required for requests covering rights of individuals under Articles 15 to 22 following a ‘Subject Access Request’ to respond without undue delay and in any event within 1 month on receipt of a request. See Chapter III, Section 1, Article 12 (3). This may under certain circumstances be extended to two further months (see the same article).
  • Article 14 applies where data has not been obtained directly from the data subject, this also appears in the DPA employment code of conduct where parties sharing information make themselves known to the data subject. I’m not aware of a time limit and Article 12 is not associated with Article 14 directly.

    15. Does the name of a contact + a phone number = Personal data so you have to tell them? ICO response - yes it's personal data & you must comply with the principles.
     
  • The ICO is correct. The data held on individual e-mail accounts on company servers is personal data under GDPR PERSONAL DATA – HELD – PROCESSED - TRANSFERRED

    16. Emails stored in folders - can we keep these? ICO response - Yes, nothing to suggest we can't keep emails.
     
  • The regulation focuses on the rights of individuals, and the security of controlling and processing data.
  • Lawful basis, common sense, backed up by data protection policies and procedures needs to apply in this area of communications.
  • For example
    -Individuals meet exchange business cards, connect on e-mail with the implication they both want to explore doing business together. The data now held on individual e-mail accounts on company servers is personal data under GDPR.
    -The individuals then go onto explore specific business opportunities and the personal details are then shared them on the CRM database, for opportunity tracking. This comes under legitimate interests to do business together
    -The individual then receives product & marketing campaign information, communicated by the marketing team. This first requires individuals consent and clarity of what the purpose of holding this information is for.

    17. If a recruiter gets permission from a candidate to pass on their CV to a client, does the recruiter have to pass on the candidates contact details too to the client, so the client can comply with GDPR & notify the candidate that they have their data? ICO response - no its reasonable that, if you've got permission from the candidate to pass it on, they already know the client has their CV.
     
  • The existing ICO approved ‘The employment practices code of conduct (96 pages) – Part 1 Recruitment & Selection’ under DPA, advises the following practice and is freely available on the ICO website;
    - If the recruiter doesn’t advise the candidate of the employer, at the request of the employer to be anonymised, the code of conduct requires the personal details on the CV should also be anonymised, until the situation changes.
    - the code is intended to be consistent with other legislation such as the Human Rights Act 1998 and the Regulation of Investigatory Powers Act 2000 (RIPA).
    - Covers the following;
    • applicants (successful and unsuccessful)
    ▪ former applicants (successful and unsuccessful)
    ▪ employees (current and former)
    ▪ agency staff (current and former)
    ▪ casual staff (current and former)
    ▪ contract staff (current and former)

    18. Is it correct that you cannot contact a candidate about any other job unless they have agreed you can do this?
     
  • Depends on what the arrangements are between the recruiter and the candidate;
    - If its consent for a particular advertised ‘role’, then yes its restricted to that clear purpose.
    - If its consent for a ‘role’ that may become available, then its restricted to this purpose.
    - Either of these examples require the recruiter to link to privacy statements, that cover for example data retention periods that would be considered reasonable and in line with other legislation or codes of conduct. i.e. litigation can follow recruitment campaigns.

    19. Is it correct that you cannot send CVs to a client unless the client has agreed you can do this. This would include sending speculative CVs at times when the client isn’t hiring. Can we do this?
     
  • Recipient organisations are sensitive to their obligations and those of suppliers under GDPR. They will also have legitimacy of processing obligations in this area, when roles do not exist and would be unable to retain details and no doubt be required to delete on receipt.
  • Un-solicited CV’s is likely to fall outside the legitimacy for data transfer.
  • As consent needs to be clear and for a specific purpose, it would probably fail on this measure also.
  • This approach should be considered a bad practice.

    20. In the above 2 points is it best to get verbal confirmation or does this need to be documented. How should we document it?
     
  • Verbal consent is problematic as consent requires with it the notification related to the collection of data, which should be associated with clear and affirmative consent.
    - Identity and contact details of data controller, as well as Data Protection Officer if there is one.
    - Purpose of Processing, including legitimate interests if being relied upon instead of consent.
    - Period data will be stored. o Countries or organisations that the processor may transfer data to and the level of protection afforded by that country.
    - Source if not directly from the data subject themselves
    - Voluntary or obligatory providing of data and possible consequences of not providing data. o Recipients or categories of recipients with whom data is likely to be shared
    o All the data subject’s privacy rights, as highlighted earlier. The right to be ………….;
    ▪ informed
    ▪ rectification,
    ▪ right to erasure (be forgotten),
    ▪ accuracy,
    ▪ restrict processing,
    ▪ data portability,
    ▪ object
    ▪ not to be subjected to automated decision making including profiling is being used.

    21. All contacts on a database have to be accurate records, otherwise it would be deemed discriminatory, recruiters should not rely on job boards or LI for data, otherwise this could not be up to date. Is this true?
     
  • One of the data subject’s rights is the right for the ACCURACY of data held.
  • Data subjects also have the RIGHT TO BE INFORMED that you have their data if not provided directly. This method of obtaining data becomes increasingly difficult and complex as we have seen recently with Facebook.
  • Other regulation not GDPR, deals with discrimination.
  • Recruiters should rely on known auditable sources of data, with clear privacy policies – the most credible being direct from the data subject.