GDPR: Myth Vs Reality
GDPR Compliance for Recruiters
The eBoss team has been working solidly to ensure easy GDPR compliance for recruiters who have chosen to use our products. Getting compliant does not have to mean late nights, endless re-papering, and repetitive administrative tasks. But, with less than six months until new laws come into effect, confusion on the subject is difficult to ignore.
So how much do you know about your new legal obligations? Have you fallen foul of the urban myths surrounding the new data security laws? The following post addresses some of the most common misconceptions about GDPR compliance.
GDPR applies to all organisations which offer goods and services to EU citizens, or which process their personal information.
The scope of the law virtually guarantees that all enterprises – wherever they are located – could be required to demonstrate GDPR compliance. Your business need not have a physical presence within the EU. If your customer and client base contains EU citizens, you should move to demonstrate compliance.
There is no minimum size for an organisation to be liable for fines and penalties under GDPR. That commonly-repeated statistic – ‘4 per cent of annual global turnover, or €20 million’ – applies to everybody. GDPR compliance for recruiters operating on a local level is every bit as serious as it is for multinationals.
The figures quoted above are the maximum penalties for the most serious breaches of data protection standards. It is always the greater of the two which is applied.
Believing that GDPR only affects new data is one of the most dangerous assumptions to make. The regulation is retroactive, and will be applied to your existing databases immediately, on 25th May, 2018. If you have not demonstrated an attempt to achieve compliance by then, you are in breach of the law.
Depending on the data you hold, and your existing consent forms, you may be required to re-obtain permissions from data subjects. If you have not sought DPA-approved consent prior to GDPR, you may need to obtain new permissions for all data.
As a data controller, you are charged with assuring compliance across the entire data processing network. It is your duty to select partners who demonstrate compliance, and to assess the readiness of service providers prior to May 2018. If you outsource data on behalf of a third-party controller, you are responsible for the compliance of your chosen sub-processors.
In many instances, it will not be necessary to appoint a Data Protection Officer. However, this must be assessed on a case-by-case basis.
A DPO is required to conduct impact reports (DPIA). Therefore, their services are required if your business is consistently processing high volumes of data, or if the information you are processing is sensitive personal data.
Equally, if your day-to-day operations, or your data management network, may be exposed to elevated risk of breach or hostile attack, it is best practice to retain the services of a DPO. A DPIA is also required if your companies alters its methods of processing data at any time.
Your data protection officer will be responsible for risk assessments and for seeking special authorisations from the ICO (the Information Commissioner’s Office). So check with your legal team if you are in any way unsure of your obligations concerning the recruitment of a DPO.
This post is an edited excerpt from the eBoss White Paper “The Definitive GDPR Guide for Recruiters”. Inside, you will find a step-by-step guide to full compliance, plus clear and concise explanations of GDPR regulation.
Download your free copy of the eBoss white paper on GDPR compliance for recruiters here.