The General Data Protection Regulation (GDPR) will come into effect across the EU on 25 May 2018. Post-Brexit the GDPR will continue to apply to any organisation based outside the EU that provides services within the EU.<\/p>\n
So what are the most important changes?<\/p>\n
The definition of personal data<\/strong><\/p>\n Personal data is any data which relates to or identifies a living person. The GDPR will expand the definition of personal data to include both location data and biometric data.<\/p>\n The rights for individuals<\/strong><\/p>\n The GDPR will enhance the control an individual has over their personal data. Organisations will have to have the individual\u2019s express consent to process their data unless they can rely on an alternative legal basis (see below). Express consent means consent which is actively and freely given (no opt out boxes).<\/p>\n Additional rights for individuals include:<\/strong><\/p>\n The right to withdraw consent\u00a0 The right to request that any incorrect personal data is corrected (rectification)\u00a0 The right to request that their personal data is erased (the right \u2018to be forgotten\u2019) The right to data portability<\/p>\n The obligations on organisations<\/strong><\/p>\n The GDPR will also impose new obligations on organisations:<\/p>\n Organisations will need express consent to be able to process data. They will no longer be able to rely on pre-ticked or opt-out boxes. However organisations may also be able to rely on \u2018legitimate interests\u2019 and \u2018necessary for the performance of a contract\u2019 to process data, but these must be used only where appropriate. For recruiters, legitimate interest could be used to provide work-finding services generally but express consent would be required to transfer personal data to another party, such as an umbrella company. Some organisations will have to appoint a data protection officer (DPO) because of the nature and volume of personal data that they collect, eg significant amounts of sensitive personal data or because they are a public authority. Under the existing Data Protection Act individuals have the right to make a subject access request (SAR) to find out what data an organisation holds on them. Organisations can currently charge up to \u00a310 per SAR and must respond within 40 days. However under the GDPR, organisations will no longer be able to charge for a SAR except where the individual makes repeated or unfounded SARs. They will also have to respond within one month, though this can be extended to two months where the request is particularly complex.\u00a0 Organisations will have to adhere to the accountability principle which means they will have to show how they are complying with the GDPR, ie that they have appropriate processes in place to inform individuals of their rights, manage requests to withdraw consent, or rectify or delete data when requested.\u00a0 The GDPR allows member states to apply appropriate sanctions for non-compliance including fines of up to 20 million Euros or four per cent of annual worldwide turnover (whichever is the highest) for the most serious breaches.<\/p>\n How the REC can help<\/strong><\/p>\n The REC legal team have created a GDPR FAQ section and factsheet\u00a0for members on our legal guide. The REC have also engaged with the Information Commissioner\u2019s Office to develop recruitment specific guidance. We will continue to support members so that they are well prepared for the changes ahead.<\/p>\n","protected":false},"excerpt":{"rendered":" The General Data Protection Regulation (GDPR) will come into effect across the EU on 25 May 2018. Post-Brexit the GDPR will continue to apply to any organisation based outside the EU that provides services within the EU. So what are the most important changes? The definition of personal data Personal data is any data which …<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[10],"tags":[],"class_list":["post-417","post","type-post","status-publish","format-standard","hentry","category-news"],"acf":[],"yoast_head":"\n