I spotted David Whincup's comments on Recruiter today and whilst he's absolutely right that the underlying principles of the new GDPR are not wildly different to the older DPA rules, how many recruitment businesses already take all reasonable precautions to achieve the outgoing DPA objectives? 

In my experience, very few indeed.... And that's the point. 

This is not about a massive change in the rules, more about the importance of taking them seriously. In my experience, I would suggest that most recruiters didn't put DPA compliance high on the priority list - presumably because the quantum of risk was, let's be honest, low. With the risks under GDPR suddenly amplified exponentially in terms of penalties, recruitment businesses will start paying more attention to how they use personal data.