Recruitment businesses and Executive Search firms assessing the impact of the GDPR, should take note of the statement of intent in respect of The New Data Protection Bill published yesterday by the Department for Digital, Culture Media & Sport https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/635900/2017-08-07_DP_Bill_-_Statement_of_Intent.pdf
The statement of intent dated 7th August, sets out how the GDPR will look when it is brought into British Law. Essentially it is the GDPR lock, stock and barrel with some UK additions.
ICO to have increased powers
The proposal is that the ICO is given increased powers to be a “tough regulator”. As if the fines associated with the GDPR were not enough, the Bill proposes that in some newly defined circumstances it could also result in a criminal prosecution. This is indeed tough talk that from 25th May could translate into tough action.
Impact of the UK version of the GDPR on recruitment
The statement was published whilst I was at a meeting with the owner of a medium size recruitment business. We were discussing the GDPR and the requirements around data subject access requests. He asked me, “where would a business stand under the GDPR if they amended or deleted data after a candidate requests to see his/her data? After all he continued, we know that some recruiters will do that don’t we? Many recruiters will not want people to see what they are actually holding on them”. To be clear he was not advocating this as an approach but was wondering what powers there would be to stop people doing this.
New proposal to introduce a criminal offence under the UK GDPR
The UK government have helped answer this question today by stating that the intention under the bill is to make this practice a criminal offence with an unlimited fine.
“In particular, we will:
○ Create a new offence of altering records with intent to prevent disclosure following a subject access request….The scope of the offence would apply not only to public authorities, but to all data controllers and processors. The maximum penalty would be an unlimited fine in England and Wales or a Level 5 fine in Scotland and Northern Ireland”
Additionally, just in case anyone thought that no-one within your organisation will notice or care and that you can keep the practice quiet in your business, there is a new proposed guaranteed protection for whistleblowers.
“The important role of journalists and whistleblowers in holding organisations to account and underpinning our free press will be protected by exemptions” See page 10 of the statement.
So, recruiters will no longer be thinking of relying on retrospectively amending of records in order to get out of tricky situation when they receive a data subject access request after 25th May, will they?
What should recruitment businesses do to prepare for the GDPR?
Many recruiters are all too aware that they are holding data that they would be uncomfortable showing to a candidate who requests to see it. So, what is the solution? Audit your data. Embark on a clean up exercise. Ensure that your processes and policies are in line with the GDPR. Educate and train your staff.
There are only 170 working days left to get your house in order before the new rules are enforced from 25th May 2018.
About the Author
Helen Haddon is the founder of ComplyGDPR. The sole focus of ComplyGDPR is assisting businesses in the recruitment sector understand and prepare for the changes required by the GDPR. ComplyGDPR are working with CMS Cameron McKenna Nabarro Olswang LLP