Home » GDPR

GDPR Everything You Need to Know & Do for GDPR

Our objective is to try and provide business owners with some clarity on what they need to do for GDPR. What is GDPR The EU’s General Data Protection Regulation (GDPR) intends to strengthen and unify data protection for all individuals within the European Union.

What we know as Victorious Job Search Ltd about GDPR -In the UK, the regulation replaces the Data Protection Act 1998 and was GDPR created?

  1. To give people more control over how their data is used
  2. To make data protection law identical throughout the single market

When will the GDPR apply?

 The GDPR will apply in all EU member states from 25 May 2018.

Does Brexit matter?

The UK is implementing a new Data Protection Bill which largely includes all the provisions of the GDPR.

Who does GDPR apply to?

The GDPR applies to ‘controllers’ and ‘processors’.

What’s the difference?

  • Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
  • Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”

Source: article 4 of the EU GD

e.g. the controller could be a limited company and the processor could be a firm doing the actual data processing.

Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), however there are new elements and changes to processes.

Please note that while we endeavour to be as accurate as possible, this material is general information only and not intended to provide legal advice.

What information does the GDPR apply to?

Like the DPA, the GDPR applies to ‘personal data.’

For most organisations who keep HR records, customer lists,contact detailsetc.

The change to the definition should make little practical difference.

You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria.

Processing data under GDPR The GDPR requires you to maintain records of your processing activities.

For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data.

These are often referred to as the “conditions for processing” under the DPA. Lawful conditions for processing:

  • You have consent of the data subject.
  • Processing is necessary for the performance of a contract with the data subject or

to take steps to enter into a contract.

  • Processing is necessary for compliance with a legal obligation.
  • Processing is necessary to protect the vital interests of a data subject or another


  • Processing is necessary for the performance of a task carried out in the public

interest or in the exercise of official authority vested in the controller.

  • Necessary for the purposes of legitimate interests pursued by the controller or a third

party, except where such interests are overridden by the interests, rights or freedoms

of the data subject. What should I do to ensure we’re processing lawfully?

  • Review all of your data processing activities; ensure that they have a lawful basis for

each processing activity.

  • Document what personal data you hold, where it came from, & who you share it with.
  • Where a legitimate interest is the basis for processing, maintain records of your

assessment of that legitimate interest, to show that you properly considered the rights

of your data subjects.

Consent:-Consent is one of six lawful grounds for processing data (see ‘Lawful conditions for processing’)

When do you need to seek consent?

According to Elizabeth Denham, Information Commissioner, ICO: Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent.

The requirement for clear and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it. Click here to read this article Examples of lawful consent requests:

  • Signing a consent statement on a paper form
  • Clicking an opt-in button or link online
  • Choosing technical settings or preference dashboard settings
  • Responding to an email requesting consent
  • Completing optional information for a specific purpose (i.e. optional fields in a form)
  • Dropping a business card into a box

What isn’t consent?

Consent requests must not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way.

Withdrawing consentmust be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place. Consent assessment activities and actions:

  1. Review your consent mechanisms to make sure they meet the GDPR requirements on being specific, granular, clear, prominent, option, documented and easily withdrawn.
  2. Check your documentation procedure to demonstrate what the individual has consented to, including what they were told, and when and how they consented.

Individual Rights On the whole, the rights individuals will enjoy under the GDPR are the same as those under the DPA but with some significant enhancements.

The GDPR provides the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

GDPR and Recruitment Controller In general recruitment businesses rely on an individual’s consent to warrant data processing. However, GDPR changes the legal bases for collection and processing of personal data, applying stricter requirements for consent.

For example, you will have to gain separate consent for processing data for a candidate when you’re using the data for an unrelated process.

It’s wise to revisit existing processes and revise if necessary. Areas to review include candidate acquisition processes and marketing. You may need to ask existing candidates to re-register and remove any candidates who have not consented. You may also need to give candidates additional clarity about how they collect and use their personal data.

Data sharing If you currently act as a data processor (e.g. if you collect and process an individual’s personal data on behalf of another company, such as part of a RPO or payroll arrangement), under the GDPR, you will have direct responsibility for your own compliance.

It is recommended that you review key client contracts.

Removing data Under GDPR, there is a new right to have personal data erased where the data is no longer required, because consent is with-drawn or the processing is unlawful.

However, you can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

  • to exercise the right of freedom of expression and information.
  • to comply with a legal obligation or for the performance of a public interest task or

exercise of official authority.

  • for public health purposes in the public interest.
  • archiving purposes in the public interest, scientific research historical research or

statistical purposes; or

  • the exercise or defence of legal claims.

A glossary of GDPR terminology Further reading Click title to read Explicit Consent Definition: Freely given, specific, informed statement that agrees to the processing of personal data.

  • Implied Consent Definition: Consent that is not expressly given by an individual, but rather implicitly given by their actions and the circumstances of a situation. Personal Data Definition: Any information related to Data Subject that can be used to identify them. Data Subject Definition: A person whose personal data is processed by a controller or processor.
  • Right To Be Forgotten (Data Erasure) Definition: Entitlement for a Data Subject to have their personal data erased, cease its distribution and prevent any third party companies from accessing the data.
  • Subject Access Right (Right to Access) Definition:Entitlement for a Data Subject to have access to the information about them that is held by a data controller.
  • Processing Definition: Any operation, manual or automatic, done on personal data – this includes collection, recording, using, etc.
  • Data Portability Definition: The requirement for controllers to provide a data subject with a copy of their data in an easy-to-use format.

Personal Data Breach Definition: A breach of security that leads to the accidental or unlawful access to, destruction or misuse of personal data.

  • Data Protection Officer Definition: An individual who is an expert on data privacy, and works independently to make sure businesses are meeting the GDPR rules and regulations.
  • Data Controller Definition: The entity that decides the purposes and conditions in which personal data is processed.
  • Data Processor Definition: The entity that process the data on behalf of the Data Controller.

Featured Reviews

View All Testimonials →


Create an Account!
Forgot Password? (close)

Create an Account!

Confirm Password
Want to Login? (close)

forgot password?

Username or Email