Why the New EU Data Protection Rules Will Still Apply After Brexit
We are on Platform 50 but the train leaving Europe has yet to depart.
We know it will, and we know that the UK will not necessarily be bound by the General Data Protection Regulations (GDPR). So does that mean that recruitment companies can wave goodbye to all data protection and forget forever the GDPR until certainty is introduced?
Should you forget the GDPR ?
Nein, non and nee. The GDPR has been agreed by all the EU countries after 4 years of discussion, disagreement and negotiation. The aim of the GDPR is to strengthen, simplify and unify the different regimes. It was due to have direct effect on the UK (and will on all EU countries) in 2018. What exactly happens for the UK depends upon the negotiations.
But even if we are not bound by the GDPR, it will remain of critical importance because:
- If we do wish to trade with the EU countries, then they will require that we treat personal data with something approaching the same seriousness as they do, i.e. it is highly likely that we will adopt legislation similar to or modelled on the GDPR.
- Any country outside the EU which processes data on behalf of an EU country will be bound to handle that data within the GDPR parameters.
- It contains a lot of good sense and best practice about how to handle personal data.
What should your recruitment company be doing now?
Our present legislation, the Data Protection Act (DPA), gives companies very good reasons to handle personal data with sensitivity and thought. Recruitment companies routinely handle large amounts of personal data about candidates and other people so compliance is extremely important.
If your company fails to take data protection seriously and fails to protect personal data, then it risks:
- reputational damage
- fines of up to £500,000 (this will be increased to up to 4% of your annual worldwide turnover or 20m euros, whichever is higher, under the GDPR)
- wasted management time
The steps recruitment businesses should take now are:
- Understand what personal data you hold (and why)
Review what personal data you hold, why you hold it, where you obtained it from, and who you share it with (and why).
- Consider your policies
Review any data protection policies you have and consider what, how and who keeps policies up to date. The GDPR requires 'data protection by design' and operates on an 'accountability principle'. This is good sense. It is the approach recommended by the ICO to ensure compliance with the DPA .
- Review and update your privacy notices in light of GDPR
Individuals need to know what you are going to do with their data, and who you are going to share it with etc. This is done through a privacy notice.
- Check that you have procedures in place to take individuals' rights seriously.
Under the GDPR, individuals will have the right to know what information is held about them, but also they will have rights to have inaccuracies corrected, to have information erased, to prevent direct marketing and a right to data portability (this requires that you would have to provide data electronically). These rights are enhancements to DPA rights.
Now is the opportunity to test the capacities of your organisation. How able are you, now, to locate data and to delete it? Who in your organisation would take these critical decisions?
- Review how you obtain 'consent'
One of the most challenging areas under the DPA is that of 'consent'. Consent to use personal data cannot be inferred from silence, pre-ticked boxes or inactivity. The GDPR does not require that consent is 'explicit' but it must be freely given, specific, informed and unambiguous. This is good sense and supported by the ICO. If you are going to rely upon implicit consent, then you must be ready to deal with a challenge as to how, e.g., unambiguous the consent was. It may be that it can be properly inferred but the need to be ready for a challenge is important.
- Consider your security systems now
The most embarrassing and damaging cases are the result of failing to keep personal data 'secure'. Security breaches arise through a range of different failings, e.g. not checking who is to receive the email, through loud conversations on trains, through hacking, etc.
Consider your security systems now:how secure are they? What training do staff have? Is personal data encrypted? What breaches might result in an obligation to report? How would you mitigate harm to individuals?
- Familiarise yourself with key concepts and consider introducing them as best practice
There are certain key expressions in the GDPR such as 'data protection by design', 'the Accountability Principle', 'privacy by design' and 'data minimisation'. These expressions almost speak for themselves. There is one important expression which brings with it a specific obligation: 'privacy impact assessments' (PIAs). A PIA is required where there is significant change in the processing of data and in particular where there is a risk to data subjects.
- Appoint a Data Protection Officer
It is mainly public bodies which are required to appoint a Data Protection Officer. But it makes sense for any organisation affected by data protection to ensure that it complies with the DPA. The best way of doing that is designating a capable interested person with the responsibility for ensuring that the obligations are met.