GDPR legislation comes into effect on the 25th of May and many organisations have been busy preparing.
From May onwards, it will be a legal requirement for all companies to adhere to the regulations in place, or face a heavy fine up to €20 million – or 4% of a company’s global annual income (whichever is the larger amount). So it’s safe to say, you don’t want to get this wrong!
To make the rules more digestible, GDPR can be broken down into six areas where data must be:
- Processed lawfully, fairly and transparently
- Collected for a specific purpose
- Limited to only relevant processing
- Accurate and kept up to date
- Retained for no longer than necessary
- Protected with adequate security measures
The Information Commissioner’s Office (ICO), who is responsible for upholding GDPR, has set up an advice helpline for small organisations. However, if you don’t feel like calling the ICO, this article should help explain GDPR and how it impacts small and medium organisations, with our four top tips.
- It applies to all businesses, even small ones
You may have heard that GDPR only applies to the big boys, as the EU wants to make an example of them. Sadly, this is not the case and GDPR applies to any and every organisation that handles data and personal information.
However, there are some differences in the types of records companies should keep, depending on their size. Companies with fewer than 250 employees are required to hold internal records of how data is processed or if it could risk an individual’s rights. For organisations with more than 250 employees, data retained needs to include much more detail such as transfers and security measures that are in place.
- Changes to consent
GDPR is much more than updating privacy policy documents. How consent is obtained is becoming more relevant and it’s imperative to be open and honest about how you will use and store data. Alongside this, information on who will be able to access the data and how long it will be stored for needs to be easily accessed by users.
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
- Train your employees
Small organisations are not likely to have a GDPR consultant and may be extremely busy in the build-up to GDPR implementation. However, as mentioned above, just because you are a small organisation it does not mean you are exempt.
It’s important to set some time aside to prepare for the new rules. Take time to read up and ensure all of the steps outlined above are implemented into your company’s strategy.
- Don’t panic
There have been a lot of scare stories on the topic of GDPR, with lines such as ‘delete your database and start again.’
This is probably one of the most debated topics for recruitment companies in the run up to GDPR coming into effect – but it’s not true.
Explicit consent is only required for processing sensitive personal data where only an actual ‘opt in’ will suffice. Unless you have super secret data like the MI5, the implied consent of your contacts will allow you to keep your database alive and in one piece.
Here at Dovetail Group Recruitment, we have updated our privacy policy to ensure that all data handling and recruitment processes are in in-line with the new regulations. To find out more, please email us on [email protected].