Those 4 letters – they seem to be everywhere we look! The deadline is fast approaching and at Scout HQ we are getting our ducks in line in preparation. To be honest, there is such a massive mix of information out there at the moment and although lots of people have an opinion, it is a bit of a mind-field as to what exactly is best to do and the exact wording that should be used. But it can’t be ignored and action must be taken. We have been asked by a number of Clients and peers in the industry what we are planning to do, so felt a blog coming on!
Last week we have sent out an email to our lovely Clients asking permission to keep their details on our database (amazingly high response and all positive so far – hurrah and thank you so much for your continued support everyone 🙂
We are just about to start sending out emails to all of our Candidates asking for their permission to keep their details on our database as well. A much bigger task as you can well imagine and will probably take the rest of the month to get through. So if you are one of our Candidates reading this and haven’t got an email yet, please bear with us.
We have opted to go for full informed consent for all of the people we hold data on and this will be requested every 12 months and deleted if they don’t give us permission. We are also amending our Terms and Conditions at the end of our email signatures, on our website and when we post up a job, to make it completely clear that we will be holding information on a person if they become a Client or Candidate of ours.
There are a number of rights that need to be taken into account and respected when complying with GDPR from our perspective and we have summarised them below:
Right to be informed
The most obvious one – if you hold a person’s data they need to know about it and be reminded about it within a reasonable time frame. We have been advised 1 year is a reasonable amount of time before we will ask again.
Right to request information held
At any point, anyone you hold data for is able to ask for a copy of this data. In our case, this is anything from their CV to all of the email and note correspondence we have about them on our database. We have 30 days to respond to this request.
Right to rectification
If a person’s data has changed or they want to add or amend any details, then they need to have the ability to do this. This should be done asap.
Right to erase
If a person would like us to delete their details from our system then we need to respect their wishes. Again we have 30 days to complete this. The only reason for us not to is if the person is being investigated for criminal activity and it was to be used as evidence.
Data protection and security
As a professional company holding people’s personal and possibly sensitive information, we need to ensure that this data is held securely and protected against someone accessing it without permission. Although data held online is never 100% safe from hackers of course, we have a 2 step verification password data system that has to involve our mobile phones as well and password protected laptops. It is our company policy that we can’t leave laptops open and unlocked if we step away from it and we don’t hold anything in hard copy, apart from our physical note books, which we have to legally keep for 3 years.
Hopefully this helps and although we are by no means experts in UK law, we are at least making the effort to embrace keeping data safe and controlled.