GDPR Everything You Need to Know & Do for GDPR
Our objective is to try and provide business owners with some clarity on what they need to do for GDPR. What is GDPR The EU’s General Data Protection Regulation (GDPR) intends to strengthen and unify data protection for all individuals within the European Union.
What we know as Victorious Job Search Ltd about GDPR -In the UK, the regulation replaces the Data Protection Act 1998 and was GDPR created?
When will the GDPR apply?
The GDPR will apply in all EU member states from 25 May 2018.
Does Brexit matter?
The UK is implementing a new Data Protection Bill which largely includes all the provisions of the GDPR.
Who does GDPR apply to?
The GDPR applies to ‘controllers’ and ‘processors’.
What’s the difference?
Source: article 4 of the EU GD
e.g. the controller could be a limited company and the processor could be a firm doing the actual data processing.
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), however there are new elements and changes to processes.
Please note that while we endeavour to be as accurate as possible, this material is general information only and not intended to provide legal advice.
What information does the GDPR apply to?
Like the DPA, the GDPR applies to ‘personal data.’
For most organisations who keep HR records, customer lists,contact detailsetc.
The change to the definition should make little practical difference.
You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria.
Processing data under GDPR The GDPR requires you to maintain records of your processing activities.
For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data.
These are often referred to as the “conditions for processing” under the DPA. Lawful conditions for processing:
to take steps to enter into a contract.
interest or in the exercise of official authority vested in the controller.
party, except where such interests are overridden by the interests, rights or freedoms
of the data subject. What should I do to ensure we’re processing lawfully?
each processing activity.
assessment of that legitimate interest, to show that you properly considered the rights
of your data subjects.
Consent:-Consent is one of six lawful grounds for processing data (see ‘Lawful conditions for processing’)
When do you need to seek consent?
According to Elizabeth Denham, Information Commissioner, ICO: Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent.
The requirement for clear and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it. Click here to read this article Examples of lawful consent requests:
What isn’t consent?
Consent requests must not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way.
Withdrawing consentmust be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place. Consent assessment activities and actions:
Individual Rights On the whole, the rights individuals will enjoy under the GDPR are the same as those under the DPA but with some significant enhancements.
The GDPR provides the following rights for individuals:
GDPR and Recruitment Controller In general recruitment businesses rely on an individual’s consent to warrant data processing. However, GDPR changes the legal bases for collection and processing of personal data, applying stricter requirements for consent.
For example, you will have to gain separate consent for processing data for a candidate when you’re using the data for an unrelated process.
It’s wise to revisit existing processes and revise if necessary. Areas to review include candidate acquisition processes and marketing. You may need to ask existing candidates to re-register and remove any candidates who have not consented. You may also need to give candidates additional clarity about how they collect and use their personal data.
Data sharing If you currently act as a data processor (e.g. if you collect and process an individual’s personal data on behalf of another company, such as part of a RPO or payroll arrangement), under the GDPR, you will have direct responsibility for your own compliance.
It is recommended that you review key client contracts.
Removing data Under GDPR, there is a new right to have personal data erased where the data is no longer required, because consent is with-drawn or the processing is unlawful.
However, you can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
exercise of official authority.
statistical purposes; or
A glossary of GDPR terminology Further reading Click title to read Explicit Consent Definition: Freely given, specific, informed statement that agrees to the processing of personal data.
Personal Data Breach Definition: A breach of security that leads to the accidental or unlawful access to, destruction or misuse of personal data.