I spotted David Whincup's comments on Recruiter today and whilst he's absolutely right that the underlying principles of the new GDPR are not wildly different to the older DPA rules, how many recruitment businesses already take all reasonable precautions to achieve the outgoing DPA objectives?
In my experience, very few indeed.... And that's the point.
This is not about a massive change in the rules, more about the importance of taking them seriously. In my experience, I would suggest that most recruiters didn't put DPA compliance high on the priority list - presumably because the quantum of risk was, let's be honest, low. With the risks under GDPR suddenly amplified exponentially in terms of penalties, recruitment businesses will start paying more attention to how they use personal data.
While the GDPR will impose considerable administrative and technical burdens on recruitment companies by virtue of the sheer volume of personal data they are likely to hold, it will not much affect the broad principles underlying the existing data protection legislation – the protection of the individual’s data, rights of access to it and information about it, and the collection of no more of it (and its retention for no longer than) is properly required for the purpose for which it is held, etc. A recruitment business, which already takes successfully all reasonable precautions to achieve those objectives, will certainly need to revamp its contractual documentation with candidates, end-users and third-party data processing partners in line with the GDPR, but should not fear the sort of huge fines referred to in the press for minor slips ...”