Christmas Day 2017 marks exactly five months before the General Data Protection Regulation (GDPR) is effective throughout the European Union. The UK Government has made clear that irrespective of Brexit, the UK will be bound by GDPR from 25 May 2018, and the Data Protection Bill currently working its way through Parliament will ensure that the same rules apply in the UK after Brexit.
With five months to go many businesses, including ones that handle considerable amounts of personal data, such as those in the recruitment sector, have yet to take the initial steps towards seeking to comply with GDPR.
Businesses should be questioning: what personal data we hold? Where do we hold it, how do we collect it, what do we do with it, who do we share it with, and where do we send it and store it? Would we know what to do if someone asked what data of theirs we hold, how we would find it, and reply, within a month of the request?
New rules - in part replicating the existing Privacy and Electronic Communications Regulations, or PECR - around direct marketing were also due to come into force at the same time as GDPR. This now looks unlikely to happen then, but the new rules will come in to force in due course. Being prepared for an enhanced level of consent required for direct marketing will be key to keeping your database useful. When these new rules do come into effect, for many businesses, the so-called 'soft opt-in' will allow them to send direct marketing emails to their customers, but to benefit from that, they will have to have collected email contact details in the course of a sale of goods or services. In most recruitment businesses, that criteria will not apply to candidates, so getting their consent to receive marketing materials is essential. And consent is no longer via a pre-ticked box, or an assumption that if they visit your site they must want to hear from you.
The other area for businesses to consider is whether they need to appoint a Data Protection Officer (or DPO). A DPO is a senior appointment. The role is akin to a senior internal auditor, or even a non-exec director: it will be someone who both understands data protection law and practice, and who is able to raise difficult issues with the Board. Article 37 of GDPR sets out when an organisation needs to appoint a DPO. Articles 37(1)(b) provides that a DPO is required in circumstances "where the core activities of the controller consist of processing operations which require regular and systematic monitoring of data subjects on a large scale". Unhelpfully, GDPR gives no real indication of what that actually means. Instead, the EU's specialist committee (the Article 29 Working Party, or WP29) has issued Guidelines on the meaning of what "core activities" means. One example given is that of a hospital: whilst the core activity of a hospital is to provide healthcare, it could not do so safely and effectively without processing health data, such as patients' health records. "Therefore, processing these data [i.e. patients' health records] should be considered to be one of any hospital's core activities and hospitals must therefore designate DPOs." Conversely, "all organisations carry out certain activities, for example, paying their employees… Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activities."
The second half of Article 37(1)(b) needs attention too: is the business undertaking activities which require regular and systematic monitoring of data subjects on a large scale? Again, this is something the GDPR doesn’t clearly define.
Recruitment businesses' "core activities" meet the first test for requiring a DPO, but recruitment businesses do not necessarily meet the second test: they do not all undertake activities which require regular and systematic monitoring of data subjects on a large scale. If your business does, you probably need to appoint a DPO, and if you want to be safe, likewise. But if your recruitment business does not engage in regular and systematic monitoring of candidates, you do not need to engage a DPO.
Either way, unless it is obvious that you do or do not need to appoint a DPO, WP29 recommends that controllers document the internal analysis carried out to determine the outcome, in order to demonstrate that the relevant factors have been taken into account properly.