General Data Protection Regulation is coming – what it means in practice

The General Data Protection Regulation (GDPR) comes into force on May 25 2018. Information Commissioner Elizabeth Denham – head of the UK’s data protection regulator – has described it as “the biggest change to data protection law for a generation”.

Companies large and small, and across all business sectors, should therefore be preparing for the introduction of the Regulation. You may have noticed some changes being made to data protection practices in the company you work for at present.

As a jobseeker, you will also benefit from changes in how your recruitment agency should handle your personal data.

Your agency will need to be much more transparent regarding why it needs to collect and process your personal data, and which other parties your data might be forwarded to. It will need to inform you of how long your data might be kept for, and of your right to complain to the Information Commissioner if you believe your data has not been handled correctly.

A key concept of the Regulation is the need for agencies and other companies to explain their ‘lawful basis’ for needing to process your data. If you as a candidate give your consent for an agency to process your data, then this is an example of a lawful basis. However, under the new regime, agencies will need to be much clearer about the fact they are obtaining this consent from you.

One interesting interpretation of the Regulation is that agencies may need to tell candidates if they operate automated decision-making based on your data. An example might be using a computer system to filter out candidates who don’t possess a particular qualification, or who have a degree class below a 2:1.

You will have the right to request access to the personal data that an agency or other company holds about you. This data must be provided free of charge, and within no more than 30 days of the request. You will have the right to have any inaccuracies in your data corrected, and to have information erased where applicable.

Your agency should have appropriate measures to protect the security of your data against theft, accidental loss, cyberattacks etc.

The Information Commissioner’s Office has published a 12-point guide on what companies need to do to prepare for GDPR.

Although the GDPR is a piece of European Union legislation, it will still apply in the UK. The UK will remain a member of the EU until spring 2019 at the earliest, and in any case the expectation is that EU law will be incorporated into UK law ‘en-bloc’ before Brexit occurs.

Companies can be fined for breaches of existing UK data protection laws, but under the GDPR regime, the penalties could be much more severe. Organisations that fail to comply with their obligations could be fined up to €20 million or 4% of turnover, whichever is greater.

Search For a Job