The Nasstarian
Brought to you by

Data Protection or How to save €20 million

In opinion, recruitment / By Guy Deterding / 30 August 2016

Are you worried about the new Data Protection Regulations? Perhaps you should be.

The new EU regulations were approved in April, and will come into force in May 2018. This may seem like a long time, but by then recruitment agencies will need to have specific consent from every candidate on their database, or remove them.

How many candidates on your database? How long will it take to get consent? How easy is it to remove those whose consent you don’t have? The other challenges will be that any candidate can ask you to remove their data, at no charge.

The penalty for not doing this could be up to €20 million, or 4 % of turnover, whichever is higher.

On speaking to people across the recruitment industry on the subject, I have had a number of responses, including:

  • It’s a long way off – 21 months at the time of writing. How long will it take to gain consent from the thousands of candidates you hold? If you start requesting it now as part of standard on-boarding, then at least you will have nearly 2 years of candidates who meet the requirement.

  • We will no longer be in the EU – at the rate we are going we will probably still be part of the EU. Even if not then these regulations will apply for any EU country you do business in.

  • It doesn’t apply to contractors – it applies to any data subject you hold personal details on, so it does include contractors.

  • I already have consent – consent needs to be specific, informed and an unambiguous indication of the subjects wishes. I’d be surprised if what you have now ticks all these boxes.

  • These regulations have no teeth – this has been true in the past but is no longer so. The maximum fine is €20 million, or 4 % of turnover, so the downsides are significant to any size of organisation.

N.B. This also applies to your employees, so it’s worth reviewing, and tuning up, your employment contracts at the same time!

Suggested steps would be to ensure that your Data Protection Officer (and you will need one if you sell goods or services to EU citizens) understands the requirement, and has a plan to deal with these challenges in plenty of time.

Change will not be easy, particularly where large numbers of data subjects are concerned, so the earlier you start the better.

For more information, please email me directly.

Guy Deterding

Guy Deterding

Comments powered by Disqus