GDPR stands for General Data Protection Regulation and it will come into practice in May 2018. New rules were designed by the European Union to improve current DPA (Data Protection Act) from 1998. The GDPR is more specific than DPA and puts more responsibilities on the data processor and data controller.
If you are a recruitment agency, you need to make sure that you show transparency and accountability in regard to protection of all personal data of your clients and candidates.Test your GDPR compliance
Data controller is an organisation or person who determines the purpose for which any personal data is collected and processed.
Data processor is an organisation or person who deals with personal data as instructed by a controller for specific purpose and services.
Implementing GDPR is a company-wide business project not just an IT project. There are various aspects that needs to be considered and reviewed:
Some data breaches are caused due to staff issue or process failure. Staff awareness will prevent many common breaches from happening.
This is essential for all companies that store or process personal data. The audit will look at data and outline where the data comes from and how it is generated.
A PIA will demonstrate that your organisation takes data protection seriously. It will help you understand the risks and issues that surround the use of customer data. A PIA will help you to identify data that is:
• Out of date
• Being disclose to the wrong people
• Use in a way that the data subject didn’t know about or agree to
• Not kept securely
PIA should ensure that the system is only recording the data that is needed. If the system receives more data, the organisation should not be recording the excess data.
Make sure you have the right to process the data. You must have clear and unambiguous consent from the data subject to process their data and you should document your rights. All consent to process and/or store personal data must be freely given and you must be able to demonstrate that this is the case. Any consent that has been obtained by default, like pre-ticking a box that gives consent will not be allowed under GDPR. You must also keep a record of everyone that has given their consent and when they did this.
GDPR specifies that an organisation will need to appoint a ‘Data Protection Office’ (DPO) who will monitor compliance with the Regulation and to provide advice where requested in regard to data protection.
Your suppliers may be important to the success of your business but if there is a security breach at a supplier’s site and your data is compromised, your customers are likely to blame you for the data loss. The supplier should undergo a review of their IT security which may include analysis of their technical security, operational platforms, procedures and processes. You must also understand what your suppliers do with any data that you pass on to them.
If you or any of your suppliers store data in the Cloud, it is important that you know where your data is stored. Confirm this with your cloud supplier. If they have storage arrangements that are outside of the EU, then you need to know where your data is normally stored and under what circumstances this may change.
It’s important that you and your staff know what to do if there is a data breach, just as you should ensure that they know what to do in the event of a fire. The key to taking quick and decisive action is to know that you have a problem in the first place. There are many good monitoring systems on the market that are designed to watch your data and report any unusual activity. Knowing that you have been under attack alerts you to take a preventative action.
Recheck the way your Firewalls and network are configured. Ensure that you have a business need to collect and store all data fields that you use. For example, if you use the service of the payment provider, such as PayPal, you will still be collecting payments but will not be having to store the card numbers. This will reduce the value of your data to criminals and may remove your company as a potential hacking target.
Do you or any of your suppliers send data outside of the UK or the EU? If so you must ensure that any data centre that handles data will do so in accordance with the provisions of the GDPR.
Your network is the front line in the battle to prevent unauthorised external access and is the first place that an attacker should find barriers to gaining access. If you hold a valuable personal data, you should use reasonable measures to protect your assets. You should ensure that contractors or new employees are checked. This may be as simple as following up on references. Remember that if a criminal can gain internal access to your system, then your Firewalls will not be able to prevent their access.
You should review any privacy notices that you use to ensure that they comply with the requirements of the GDPR. You probably have an existing privacy notice on your website but under the GDPR this is likely to need to be expanded.
The GDPR makes it clear that data subject (your customers in most cases) should make regular access requests to check that their data is correct. For this reason, it is suggested that you consider developing an online system to allow people to check their personal data. While this is a simple thing to suggest, there are some serious security implications and you must ensure that any online access is able to identify the requestor and able to limit their access.
Under the GDPR the rights of the individual are:
The right to be informed – You are obligated to provide fair and clear data processing information, usually through the privacy notice. You must specify how you use personal data. It has to be written in a clear and easily understandable language. You need to specify your contact details, the purpose of collecting and processing data, who you send data to and the right that the data subject can withdraw their consent any time.
The right of access – The data subject has the right to obtain confirmation that their data is being processed and what data you hold. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.
The right to rectification – Data subjects are entitled to have their data rectified if it’s inaccurate or incomplete. If you have disclosed the data to or received the data from a third party, you must inform them of the rectification.
The right to erasure – the data subject has the right to request the deletion of their personal data where there is no reason for its continued processing or the data subject has withdrawn the consent.
The right to restrict processing – when processing is restricted, you are permitted to store the personal data, but no further process of it. You may need to review procedures to ensure you are able to determine where you may be required to restrict the processing of personal data.
The right to data portability – this is a new right under GDPR and it allows the data subject to request a copy of their data in a common format (for example CSV file) under certain circumstances. This allows them to take a copy of their data and pass it on to another organisation.
The right to object – you must inform individuals of their right to object at the earliest opportunity and in your privacy notice. However, the objection must be based on “grounds relating to his or her particular situation”.
Rights in relation to automated decision making and profiling – the GDPR includes provisions to safeguard individuals against the risk that a potentially damaging decision is taken without human intervention. It gives them rights to challenge and request a review of the decision.
If you are a recruitment agency, you need to make sure that you show transparency and accountability in regard to protection of all personal data of your clients and candidates.
The questions below will help you to prepare for the new regulations and your recruitment agency, so you will be able to demonstrate the GDPR compliance.