The new GDPR regulations are creating a lot of work for businesses to ensure they comply. But what is the GDPR? Our Head of Information Systems, Stinus Anderson, explains why he has a lot on his mind worried about GDPR…
I’m having sleepless nights.
Have any of you heard of GDPR? No? Neither had I to be honest and when I did, I thought it was just a little fiddle around with the data protection act (DPA).
The General Data Protection Regulations, GDPR, is a new law that replaces DPA. It will seriously affect almost everything we do, certainly all information we hold on candidates and client contacts.
The GDPR is European regulations and no! Brexit does not get us out of it.
In short, it means that we are only allowed to hold information on persons where they have given explicit consent and we have to be able to prove it. So pretty much something written, e.g. an opt-in on some sort of webpage.
Further, we must keep the data completely up to date. We must only hold the minimum we require to carry out the job that the person has given consent to. You cannot get a general consent. For example, a consent that says: “Yes, put me forward for any job” is no longer legal. It will, therefore, become paramount that you record your conversations and emails with the candidate via diary notes, when requesting consent to be put forward.
Neither can we ask for consent to hold their record indefinitely. This means we will have to get consent every set number of years, 2 maybe 3. If the candidate does not answer or does not consent, we must delete the record, no questions asked. In fact, the system must adhere to GDPR automatically, so records will have to be deleted automatically.
The person can ask to be deleted at any time and we must do so. They can ask to have access to all data we hold, and we must provide without delay or questions. We must not hold data on people under 16 without their parent’s consent. And we must never, NEVER, hold sensitive data that can be traced back to an individual, e.g. sexuality, religion, political beliefs.
This all comes into force on 28th May 2018. So we have a year to get consent from the candidates on our records. Those where we have not, we will have to delete the record – no ifs, no buts.
If we get this wrong? Fines of up to 4% of our turnover. A cool £32million.
We are working hard to make the systems do a lot of the work for us. Meanwhile, we are encouraging our employees to read all the information they can on GDPR – so then at least I’m not the only one awake at night worrying…