Over the last 6-12 months, the vast majority of recruitment agencies have been beginning to focus more and more on reviewing their approach of data processing to address the upcoming GDPR legislation. To give you a simple need to know guide, we have compiled the answers to the 8 most frequently searched questions in Google about GDPR.
What Is GDPR?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is the much anticipated legislation that aims to further safeguard and standardise individuals’ data across European (EU) member states for all citizens.
The EU’s GDPR website says the legislation is designed to “harmonise” data privacy laws across all EU member states as well as give greater protection and rights to individuals. But why now?
You only have to think about how data collection and processing has changed in your industry since the 1990s to recognise the necessity to revise these regulations – it really was only a matter of time. What this means for organisations across EU member states is that they will have to audit and amend their data processes for individuals, accordingly, to comply with the new and updated laws.
When Does GDPR Come Into Force?
The new GDPR regulation comes into force for all EU member states from 25 May 2018. This means that you will have to have changed your processes before this data or risk incurring the increased fine. The new legislation was agreed to by all member states of the EU on 24th May 2016 giving businesses two years to comply.
Who Enforces GDPR?
Each member state of the EU will appoint Supervisory Authorities (SA) who will be in charge of enforcing GDPR. These SAs will be responsible for upholding GDPR regulation in their own individual states coordinated by the European Data Protection Board. They each have investigatory and corrective powers meaning that they can:
- Conduct audits
- Issue warnings and reprimands
- Impose bans
- Suspend data transferring
- Issue administrative fines
The rigour with which the SAs enforce the legislation will depend entirely on the individual SAs and member states themselves. According to IT Governance, historically, this has differed quite significantly with Germany and Spain typically being toughest on data protection in comparison to the Republic of Ireland, which has a track record of being lenient.
Will GDPR Replace The Data Protection Act (DPA)?
Simply – yes.
The GDPR supersedes the 1995 Data Protection Directive (DPD) which was issued to all European states. The UK’s 1998 Data Protection Act will be superseded by a new DPA that will enact the GDPR requirements.
What Are The Maximum GDPR Fines?
The maximum fines under GDPR have increased to €20m (Approx £17.6m) or 4% of an organisations annual global turnover, whichever is larger.
This is a huge increase on the DPA’s current maximum fine of £500,000 but the Information Commissioner’s Office (ICO) has assured that fines will not become the norm. Writing in August 2017, the Information Commissioner, Elizabeth Denham stated that, “issuing fines has always been, and will continue to be, a last resort”. In fact of the 17,300 cases concluded in 2016/2017, only 16 of them resulted in fines.
Are GDPR Fines Insurable?
As GDPR has not come into effect yet, there is not a definitive answer to this question and it will depend on a case by case basis. In brief, if a business is deemed to be committing a criminal offence, it seems likely that they will NOT be insured against GDPR fines under the principle of the “illegality defence.” The “illegality defence” prevents a claimant from pursuing a civil claim against another party if the claim is based on the claimant’s own illegal acts.
If you would like a more comprehensive answer on this topic, read brownejacobson’s blog.
What Does GDPR’s “right to be forgotten” Rule Mean?
Article 17 of the GDPR, the right to erasure or “right to be forgotten” has become a focal point of the upcoming GDPR. Under the new regulation, it will become an individual right to request the deletion or removal of personal data when there is no compelling reason for its continued processing.
Some of the most common instances where an individual can request erasure are:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
- When the individual withdraws consent
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
- The personal data was unlawfully received and processed (i.e. otherwise in breach of the GDPR)
Want to read Article 17 in full?
Will GDPR Apply After Brexit?
Due to the fact that GDPR will come into force some 10 months before the expected end of the United Kingdom’s EU membership, businesses and organisations will have to prepare regardless of changes Brexit may undertake.
It is still wholly unclear what effect Brexit will have on data protection laws but the best estimate is that the UK’s data protection laws will aim to uphold the key tenets of GDPR, namely the increased rights of individuals’ data privacy and the increased transparency by which businesses process data.
How Will GDPR Affect Recruitment Agencies?
In our July 2017 GDPR blog, we outlined the key impacts that GDPR will have on recruitment agencies in terms of changes to processes, data management and documentation.
We have also published a GDPR eBook covering the following topics:
1. What GDPR means for recruitment agencies.
2. What recruitment agencies need to consider.
3. The candidate data-related Eclipse Recruitment Manager 4 software configuration and functionality options available to you when reviewing your GDPR approach and processes.
4. The top 10 frequently asked questions from clients with the recommended approach with using their Eclipse Recruitment Manager 4 software.
Request your free GDPR eBook today.