GDPR


Privacy By Design is our top priority.

Simply explained, what is GDPR?

The GDPR is the acronym of General Data Protection Regulation, a new European law which aims to unify and strengthen data protection within the European Union, for all individuals. This new regulation was established by the European Commission to overhaul the current Data Protection Act 1998. Put simply, they search more awareness, transparency and consent with stricter criteria.

These data protection regulations undoubtedly have huge implications for business. Here is a quick guide to ensure that your company is GDPR compliant; follow the steps if you do not want to be fined up to €20 million or 4% of your global turnover.

Checklist of what needs to be done to ensure GDPR compliancy

According to the Commissioner’s Office (ICO)’s free guide, here are 9 relevant points that you should pay attention for (not exhaustive list):

  1. You should inform the decisions makers and your employees that the law is changing to GDPR. It implies that you also should notify them about the impact of the new regulation.
  2. You should identify how you collect, store and use candidates’ data and who you share it with, as part of the recruitment process.
    For example, when you are asking a candidate to send in his CV, you are collecting personal information about him. In this situation, the candidate has to be contacted by the recruiter and has been given the details about the vacant job before the CV is sent. As a result, you need to provide information on:

The GDPR requires companies to be able to show how they comply with the data protection principles and so, you should document all those points.

  1. You should update your procedures and plan how you will handle requests. The new delay is one month instead of 40 days.
  2. You should identify the lawful basis for your processing activity in the GDPR, update your privacy notice and document it. The reason is that some individuals’ rights will be modified depending on your lawful basis for processing their personal data.
  3. You should review how you seek, record and manage consent and whether you need to make any changes. Consent must be freely given, specific, informed and unambiguous. It can impact some recruitment process because the implied consent is no more available and, to become GDPR compliant, you should always wait for the explicit candidate's permission or acceptation.
  4. You should make sure you have the right procedures to detect, report and investigate a personal data breach. Your company will have the direct responsibility and the incident should be notified within 72 hours, followed by a notification procedure which has to be previously defined and documented.
    On the other hand, your security process have to ensure that it covers the storage of electronic documents and the access to datas. The CVs or legal documents should for instance be retained in a secure place or in a secure database for a limited period.
  5. You should make “privacy by design” an express legal requirement, under the term ‘data protection by design and by default’ and, in certain circumstances, carry out a “Data Protection Impact Assessment”, if data processing is likely to result in high risk to individuals.
    “Data protection by design” means that companies are encouraged to secure de datas from the beginning of the process, by implementing technical and organisational measures. For example, it is recommended to use pseudonymisation and encryption for data storage.
    “By default”, companies should ensure that personal data is collected and processed with maximal privacy protection.
  6. You should designate a Data Protection Officer who would take the responsibility for data protection compliance.
  7. If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this.

Tips

Want to know more?


Let us your email and we will get back to you.