Sorting through personal data for the GDPR
The importance of personal data has been highlighted thanks to the GDPR. The new regulations mean that every business, particularly recruitment businesses, are reassessing their policies and procedures and changing the way they handle data. This is why at Access Recruitment CRM we’ve updated our legislation and brought in the experts to keep our agencies compliant. The current advice overwhelmingly states that businesses should take a look at the way they handle their data now to assess just what needs to be done. To help break this down, we’ve put together some tips and signposts for when you’re sorting through your data and what you need to be aware of.
1. Know where it is
This includes who ‘owns’ that data, who has access to it, which third parties have it and who can it be shared with. An effective way of tracking this is to create a data flow that allows you to pinpoint all the locations personal data is being hosted, both within and outside your business. Find out what point it enters the organisation, who touches it and where it ends. It will put you in a better position to gain visibility and increase control over the data you’re handling.
2. Know what it is
Start to understand exactly what data you hold so you can create the correct processing activities. Once you start delving into your archives the chances are you’ll realise you have more personal data than you thought. The new GDPR rules also require you to maintain correct records, therefore, if some personal data is wrong, your agency will have a responsibility to update inaccuracies with any other organisations you’ve shared data with. You won’t be able to do this until you know exactly what information you’re sitting on.
3. Know your current privacy policy
Your recruitment agency will already have a privacy policy in place that gives candidates information on how you intend to use their data, however, under the new GDPR you have to include some extra things in that privacy policy. For example, you will have to inform your candidates of your data retention periods and their rights over that data. Take a look at what your current policy states and start thinking about how you’ll have to amend it. The IOC have some great, easy to read, information on the new data privacy codes and what you should be including.
4. Know their rights
Currently everyone you deal with has certain rights over their data, however the GDPR has included a few more to the list, for example:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- the right not to be subject to automated decision-making
Take a look at your current procedures and data flow to understand what you do now, and start to re-imagine how you would react if someone asks for their personal data to be deleted. For example, do you know where to locate the data? How quickly can you delete it? What is the response from consultants once they’ve been asked to delete data?
5. Know the emergency exits
Take a look at the current policy for data breeches and talk to your consultants about how they handle it. You will need to ensure you implement procedures to effectively detect, report and investigate a personal data breech. You can’t do this without first knowing what your current policy is. Knowing the types of data you hold will also help with this as data breech reporting will depend on what exact has occurred. Start to document where you could be required to notify the ICO if data was leaked and keep your consultants aware of their responsibilities when handling personal data.
