What is the GDPR?
GDPR stands for the General Data Protection Regulation (1) and it is a regulation that the European Union has passed with the intention to standardise and strengthen data protection across the EU (2). This regulation was enforced on 25th May 2018, and because it is a regulation and not a directive, it means that national governments need not pass enabling legislation, but that after a 2 year transition period, it will become directly enforceable across the EU.
Why Is Data Protection Important?
In the modern era, organisations of all types (governments, NGOs, private businesses, etc.) collect data on partners, clients, employees, etc. not in a paper filing system but on digital databases accessible via the internet. The data stored can have sensitive information such as names, addresses, contact information, employment history, medical information, etc.
This sensitive data, when used responsibly and correctly, can be very useful and efficient. But there are also some risks and dangers to digital data, such as:
- The data getting into the hands of people who may use the information for ill-intentions
- The data stored may contain information about persons which may or may not be fair and accurate. But this inaccurate information can be shared and spread very quickly, which can lead to unfavourable outcomes
- Digital data can be easily copied and shared, unlike with paper where more steps need to be taken
What Laws Exist Already for Data Protection?
The GDPR replaces the EU Data Protection Directive of 1995 which states that personal data may not be processed at all, unless three categories of conditions were met. These are transparency, legitimate purpose and proportionality (3). Transparency conditions generally stipulate that the data subject has given their consent and that the reasons behind the data collection are clear. Legitimate purpose conditions stipulate that the data must be used for lawful, useful and well-intentioned purposes. Proportionality conditions stipulate that only the relevant data is collected, and kept only for as long as they are needed.
You can access the official information about the data protection directive here. (available in all EU languages) (4).
How Does the GDPR Build on Existing Legislation?
The GDPR goes above and beyond the 1995 directive, adding more protections, and widening the geographical scope of the protections (5). The key changes are:
- Widened geographical applicability: Perhaps the biggest difference in the GDPR compared to the previous directive is that the protections will affect all organisations that process data of persons living in the EU, irrespective of the organisation’s location.
- Penalties: The fines for an organisation that breaks the GDPR laws will have to cough up much larger sums of money for their breaches. The fines can be as much as 4% of their annual revenue or €20 million, whichever is greater.
- Consent: Giving consent, as well as withdrawing/declining consent must be easy and accessible to data subjects. Previously, organisations would use lengthy terms & conditions documents in order to get people’s consent, this will no longer be allowed.
- Breach Notification: If any data breach occurs, this must be notified within 72 hours.
- Right to Access: Data subjects will have the right to access and view their personal data held by any organisation, free of charge, in an electronic format.
- Right to be forgotten: The data subject will have the right for all of their personal data to be erased, and further dissemination of the data must be stopped.
- Data Portability: Data subjects may demand their personal data in a ‘commonly used and machine-readable format’ and may transmit this data to another organisation
- Privacy by Design: This concept means that systems and processes in an organisation are created and shaped at conception to be compliant with GDPR. As opposed to various measures being added in an ad hoc manner reactively to be compliant.
You can read more details about the key changes here: https://www.eugdpr.org/key-changes.html
Blue Lynx is GDPR Compliant Recruitment Agency
As a recruitment and HR services company, Blue Lynx receives a lot of data in the form of CVs, employment contracts, etc. Blue Lynx has already taken many measures to ensure the safety and privacy of all individuals who interact with us, and so many of these added rulings will not require us to implement changes.
What Does the GDPR Mean for Job Seekers?
The GDPR means that we all, as citizens of the EU, will receive better protection which is something Blue Lynx is pleased about. Job seekers will now have better control over what type of personal data agencies store and process. We are taking steps to ensure that we are in line with the new rulings ahead of time, as we believe in the importance placed on privacy and security by the GDPR. So you can be assured that your data is safe with Blue Lynx when you register as job seeker.
- EU GDPR website: https://www.eugdpr.org/
- GDPR on Wikipedia: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
- Data Protection Directive on Wikipedia: https://en.wikipedia.org/wiki/Data_Protection_Directive
- Data Protection Directive summary: http://eur-lex.europa.eu/summary/en/LEGISSUM:l14012?celex=CELEX:31995L0046
- EU GDPR Key Changes: https://www.eugdpr.org/key-changes.html