There will be a number of new obligations and fines of up to €20m or 4% of global turnover (whichever is greater) for organisations that do not comply.
The government has clearly stated that the GDPR will apply, and will continue to apply, regardless of Brexit. Put shortly, the GDPR is here to stay.
As recruitment businesses hold and use large amounts of personal data on their candidates, clients and staff, they will need to understand the GDPR and ensure their business is GDPR compliant prior to 25 May 2018.
Recruitment businesses normally rely on the individual's implied consent as the basis for processing their personal data.
For example, when a candidate submits their CV, this is generally treated as broad implied consent to use the candidate's personal data to put them forward for the specific roles they want to apply for and to carry out any processing which is ancillary to the recruitment business' services (for example adding them to the recruitment business' candidate database (which may be hosted by a third party cloud provider) and contacting them about future vacancies which the recruitment business believes may be of interest to them (perhaps may years later)).
Under the GDPR, consent must be freely given. It must also be specific, informed and unambiguous, and requires affirmative action from the individual. Therefore, it will be much more difficult for recruitment businesses to rely on consent. In particular, the fact that an individual has not objected to their personal data being used in a certain way or has posted their personal data on publicly accessible professional and social media sites such as LinkedIn will not be sufficient to amount to consent.
The GDPR contains extensive requirements around record keeping and being able to show a paper trail of compliance.
You will also be required to include additional information in your privacy notices. For example, the notice must set out the purposes for which the data is going to be processed, how long the data will be retained, and must state the right to have personal data deleted or rectified.
There will also be a requirement to inform individuals about their right to complain to the Information Commissioner's Office (ICO), the data protection regulator.
The GDPR expands on the obligation to take appropriate technical and organisational measures to keep personal data safe. It introduces mandatory breach reporting within 72 hours and in certain circumstances, the individual may also need to be notified of the breach.
You will need to check that your contracts with your data processors (ie any third party who handles personal data on your behalf such as certain IT suppliers) contain clauses that provide the protection required by the GDPR.
The GDPR makes significant changes to subject access requests, including shortening the time period to respond. It also clarifies existing rights such the 'right to be forgotten', which will require you to delete data in certain situations. It also introduces various new rights including the right to 'data portability', which allows individuals to obtain a copy of their personal data in a commonly used and machine-readable format, and the right to transmit their data to another data controller (eg a rival recruitment business.
Our Recruitment Sector team is experienced in advising recruitment businesses on GDPR. If you would like assistance with GDPR compliance, we would be happy to help.