25th May 2018
Is your Recruitment Business ready?
Prepare your Recruitment Business for the GDPR Deadline today
What is GDPR and Why was it Drafted?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
The EU’s General Data Protection Regulation (GDPR) is the result of 4 years of work by the EU to bring data protection legislation into line with new, previously unforeseen ways that data is now used in the emerging digital economy.
Currently, the UK relies on the Data Protection Act 1998, which was enacted following the 1995 EU Data Protection Directive, but this will be superseded by the new legislation. It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their personal data.
The drivers behind the GDPR are twofold.
- To give people more control over how their personal data is used.
- To give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market.
When will it apply?
Businesses have until 25th May 2018 to prepare for GDPR, after which it will apply in all EU member states. It will apply automatically in the UK because it is a regulation, not a directive, so new legislation does not need to be drawn up.
After this date all controllers of personal data must ensure it is processed lawfully, transparently and for specific purpose. Once the purpose of holding the data is fulfilled and the data is no longer required, it should be deleted.
What is meant by Lawful?
Lawful processing of data can come under one of two, or both circumstances. The first of which is if the subject has consented to their data being processed. The second of which is complying with a contract or legal obligation to protect an interest that is ‘essential for the life of’ the subject, is in the public interest or if it is in the controller’s or subjects legitimate interest, such as preventing fraud.
How do I get Consent?
Consent must be an active, affirmative action made by the subject. It can no longer be passive acceptance, for instance where there are pre-ticked boxed or opt-outs. Controllers must also keep a record or how and when the subject gave consent. The subject may withdraw their consent at any time too.
What counts as personal data?
The definition of personal data has been substantially expanded under the GDPR, to reflect the types of information that companies collect on people. IP addresses now are considered to be personal data, as is other data like economic, cultural and mental health information. Anything that is counted as personal data under the Data Protection Act qualifies as personal data under the GDPR.
When can people access the data that is stored on them?
People have the right to access any information a company holds on them, the right to know why the data is being processed, how long it has been stored for and who can see it. The data must be provided in a secure, direct way to them using plain language. If incorrect or incomplete they can then ask for it to be rectified.
The ‘Right to be Forgotten’
People have the right to demand that their data is deleted if they withdraw their consent, object to the way the data is being processed or if it is deemed no longer necessary for the purpose it was collected. This is known as the ‘right to be forgotten’. The controller is then responsible for telling other organisations (such as Google) to also delete any links to copies of that data too.
Continue the conversation.
The power of the network is predicated on the sharing of knowledge and ideas. If you have something that will help and continue the conversation share below in our comment section.