“How will GDPR affect recruitment agencies? What must recruitment companies do to prepare for GDPR? Will GDPR end executive search as we know it? What does GDPR mean for the future of recruitment agencies?” With only 9 months to go before the GDPR legislation comes into force, recruitment industry leaders are scrambling to prepare their agencies for GDPR, and these are just some of the questions they are considering.
The answers to these questions lead only to more questions and you begin to understand just how complex GDPR actually is. Lawyers and security experts are upgrading their knowledge on GDPR and have a fair understanding of the law, but there’s a still huge grey area when it comes to how exactly the law will be implemented in specific circumstances. In this series, we will explore the most important questions that agencies are asking. Subsequent articles will delve into the details of various aspects of the regulation and their interplay with the recruitment sector.
Please note that these answers are for general information purposes and do not function as legal advice.
GDPR (General Data Protection Regulation) is a new EU legislation that will replace the DPA (Data Protection Act). The primary purpose of the new legislation is to replace separate data protection acts in the EU with a unified law, with emphasis on giving EU citizens greater control and visibility over their personal data.
Any company that processes “data about individuals in the context of selling goods or services to citizens in other EU countries” will have to comply with GDPR, whether or not the UK government chooses to enforce GDPR post Brexit. The UK is already in the process to place laws or mechanisms modelled on the GDPR even if the same regulation is not adopted. As most recruitment agencies in the UK either provide services to the EU nations or handle data of EU subjects, GDPR will certainly come into play irrespective of the Brexit terms.
GDPR gives ‘individuals’ or ‘data subjects’ greater control over their data and it puts into place new rules for organizations. The legal basis for storing, collecting, sharing, securing, maintaining/updating and processing data will undergo a major overhaul. Agencies will have to make major changes to a number of data processes in order to comply with the regulation.
After GDPR comes into force, individuals will have a say in how their data is treated; as noted above, the entire data cycle will be impacted. In a nutshell:
Companies will require an explicit consent for processing personal data and will need to take separate consent for different processing activities. Individuals can also withdraw consent for their personal data, making it impossible to use their data for a specific set of processes, or for all processes.
GDPR penalties will adhere to a two-tiered approach. For the provisions that are considered of utmost importance to privacy and data protection, businesses that are found to be non-compliant could face potentially steep fines: upper limit of €20 million or 4% or annual global turnover (based on the turnover for the preceding year) – whichever is higher. For breaches that are considered to be of lesser relative importance, the penalty is halved to 2% of the annual turnover or €10 million.
It is to be noted that these are the highest possible penalties. For comparison, a fine of £500,000 is possible under the UK DPA. The highest fine till date – for a very serious breach of the act – was £400,000.
The QX team has been working hard to ensure that our clients and our business are prepared for GDPR before May 2018 and we have our own in-house IBITG certified GDPR practitioner to ensure we are GDPR ready ourselves. All our offices (UK and India) are ISO 27001:2013 and CyberEssentials Plus certified (which covers almost 75% of GDPR requirements) so we are well on the way.
Originally published Aug 11, 2017 09:08:19, updated May 04 2022
Topics: Recruitment Industry News