Retail Appointment November 2017 TRAP_Nov 2017_DigitalEdition | Page 7
protection regulation
n the 25th May 2018 new rules
come into force for how all busi-
nesses hold data on people. The
rules will be far reaching and are designed
to bring the whole of the EU into line with
other countries, such as Canada and Aus-
tralia, who already have these standards
in force. This EU directive is directly ap-
plicable, which means that there is no UK
legislation necessary. Yes this is an EU
law and we are still in the EU. It is widely
expected that, assuming Brexit goes
ahead, the UK will retain these rules in full.
O
Why?
There have been some very high profile
breaches of data in recent years, one of the
biggest being the Talk Talk/Carphone Ware-
house breach a couple of years ago. My
own details, I discovered recently, were
stored by this company from when I bought
my first carphone in 1989. I certainly didn’t
mind and there were no problems. How-
ever, retaining data for this length of time
without permission is soon to be outlawed.
Data breaches are still likely to occur even
though organisations that hold data will
have to show that they have done every-
thing realistically possible to stop them.
Data breaches would be far less serious if
unnecessary data was not retained.
Consequences
As the rules will be new, it will be some
time before case law develops to see how
the courts are going to interpret them.
However, it would be very unwise for or-
ganisations to ignore them as the fines for
non compliance are up to 20m euros or
4% of global turnover.
These rules will have serious conse-
quences for the recruitment industry and
also for recruitment departments who
hold data on job applicants for potential
future use. This data can still be retained
but employers and agencies will have to
obtain permission from the candidates to
retain their details. In many cases such
consent will be implied. For example, if I
send my CV into ABC plc for a job as a
store manager, I would have clearly con-
sented for ABC to retain my details during
the recruitment process. I would clearly
retailappointment.co.uk
not have given them permission to keep it
forever. So, if ABC keeps my details, say
for a year and then contacts me again, it
is arguable that under the new rules it has
retained my data for too long. For sure, if
ABC pass my details to another company,
even within the same group, it is in breach.
So what should employers
and agencies do?
One of the principle requirements will be to
appoint a data protection officer within the
organisation. In large companies this prob-
ably already exists but it might be wise for
HR departments to have their own. Agen-
cies will normally appoint their IT people or
a senior director to assume this role.
The data currently being held should be re-
viewed and if there is no good reason for
retaining it, it should be deleted. For the
data that they wish to be held, the organi-
sation should assess whether or not that
person has consented for it to be held.
Again, there are going to be grey areas.
If all the details that are held are published
on Linkedin then it could be argued that
this information is already in the public
domain — so, no problem. But what if
that candidate was interviewed and re-
jected? If the interviewer’s notes are held
with the CV, this information may not be
in the public domain and the organisation
must assess for how long that information
could be retained.
Automated selection or rejection will not
be allowed. There has to be some human
intervention in the process. So, killer
questions on a recruitment website that
automatically reject applications will no
longer be viable. Similarly, no automated
or predetermined tick boxes will be al-
lowed for marketing purposes. Individuals
must have the free choice to do this them-
selves. Some automated decisions will be
allowed, but these are largely going to be
where authorised by law for purposes of
fraud prevention.
The biggest problems for organisations will
occur when data is breached, That is to say,
the data is made public either by accident
or by hacking. The organisation will have to
show that the data they were holding was
reasonable. If a CV had been submitted by
an agency to a client, then the details of that
candidate should only be retained for the
period that the CV was under consideration.
Clearly, the agency would not have given
permission for it to be retained any longer,
and in many cases will expressly forbid it.
Therefore, recruitment agencies and con-
sultants will undoubtedly have to review
their terms and conditions.
It would be unlikely that an individual
could claim damages against an employer
or agency unless they could prove that
they had suffered some sort of loss. For
example, if it assisted a criminal with iden-
tity theft. Therefore, employers and agen-
cies should be very careful about retaining
NI numbers and even dates of birth.
Advice
1. Take this issue seriously and if you are
not clear, take proper advice.
2. Appoint a data protection officer as soon
as possible.
3. Review all the data you currently ho ld
and assess: a) do you need it? If not,
delete it; b) would you think the owner
of those details (the candidate) believes
they have consented? If not, you should
either obtain that permission or delete it.
4. Think about how much you need to
hold. Dates of birth are not necessary
and, if you have retained passport de-
tails or NI numbers, set up a system
where these delete themselves after a
reasonable period.
5. Recruitment agencies should include in
their terms and conditions that CVs sub-
mitted should not be retained by the
client any longer than necessary for the
purposes of processing for a particular
job without the written consent of the
agency, and in any event no longer than
six months.
Mark Flesch
Director, Retail Human Resources plc
[email protected]
07