What is a complex piece of legislation was neatly distilled into three main take ways for graduate recruiters to begin to explore along with key action points.
1. Consent
Previously under the DPA 1998 consent can legitimise the processing of ordinary and sensitive personal data, however under GDPR consent must be: Freely given, specific, informed and unambiguous indication by a statement or by clear affirmative action. You are required to seek positive opt-in and give the ability to withdraw.
Requests for consent must be:
• clearly distinguishable from other matters
• in an intelligible and easily accessible form
• use clear and plain language
Consent can be withdrawn at any time:
• must be as easy to withdraw as to give
• data subject must be told upfront this is possible (privacy notice)
ACTION POINT 1:
Identify justification(s) for processing data:
• Legitimate interests?
• Processing is necessary for performance of a contract or to take steps to enter into a contract?
• Legal obligation?
• Consider impact on privacy notices
2. Privacy Notices
Previously under the DPA 1998 you only had to publish high level information to employees, contractors, job applicants etc. about data processing now under GDPR there is a much higher level of transparency. Privacy notices must be concise, transparent, easily accessible and given in plain language.
Privacy notices must explain;
• The identity and contact details of data controller
• Categories and source of personal data
• Purposes and legal basis for processing – If legitimate interests, these must be specified
• Recipients or categories of recipients
• The period the data will be stored
• Data subject rights: access, rectification, erasure, objection, portability and ability to complaint to regulator
• The legal basis for transfer to a non-EU country
ACTION POINT 2:
• Ensure your privacy notice is GDPR compliant to avoid argument of unlawful processing
• Ensure notices contains mandatory information and are issued to staff ahead of GDPR taking effect
• Ensure that notices are easily understandable and accessible
• Keep notices under review to ensure they accurately capture new data types or changed uses
3. Third Party Contracts
This is where recruiters who outsource to a third party need to pay close attention. GDPR stipulates much greater contractual controls with prescriptive requirements for binding contracts. Specific clauses must be included with consent to using subcontractors. The data controller decides whether data should be deleted or returned on termination. There is support for the controller by providing evidence of compliance and audits and notification of any instructions that breach the GDPR or DP laws.
Outsourced providers have direct responsibility for compliance
• Direct obligations on data processors:
• Obtaining data controller's consent before sub-contracting any data processing
• maintaining records of processing activity carried out on behalf of data controller (including any transfers of personal data out of the EU)
• Ensuring appropriate data security and breach notification systems are in place
• Appointing a data protection officer (where applicable)
• PLUS processor's liability to others only where non-compliant
ACTION POINT 3
• Review arrangements with third parties and ensure they are GDPR compliant – data remains your responsibility!
RECRUITER ACTION CHECKLIST
1. Compliance requires board level 'buy-in'
2. Do you have a cross functional team – IT / Compliance / Legal / HR / Finance / PR?
3. Data mapping: Review existing HR data – What is it? Where is it? Who has access? What processes/systems/protections are currently in place?
4. Do current practices meet GDPR requirements? Understanding of e.g. legal basis for processing data
5. Assess high risk areas as priority (reason for processing/data sharing/transfer of data etc)
6. Action plan for addressing risk: target high level risk areas first
7. Address risk (minimisation/pseudonymise/security)
8. Review and amend (or implement new) privacy notices
9. Review and amend contracts of employment, handbooks and policies
10. Develop and implement internal DP policy incl policy (and timeline) on handling data breaches
11. Employee engagement and training (general and frontline training, employee awareness, works councils/trade unions?)
12. Keep an eye on the ICO website (and OC!) for new guidance and progress of Data Protection Bill through House of Lords and beyond
For further information please contact Dan Hawes at GRB on 01273-200411 or [email protected]. Rachael Oakley at Osborne Clarke can be reached on 20 7105 7678 or [email protected].
