The GDPR countdown

3 minutes to read

The General Data Protection Regulation (GDPR) comes into force on 25th May 2018 and our journey towards compliance is well underway. This article is intended to be an early update for anyone interested in our approach to the GDPR, but in particular for all of the recruiters who share data with us each week so that we can pay and employ their contractors.

The GDPR protects each of us as individuals, because it stops companies using our personal data in a way that we’re unhappy with, or didn’t even know about. It also puts a responsibility on these companies to keep any data they hold about us up-to-date and secure.

Speaking from our perspective at Key, these principles fall very much in line with our own values on how customers should be treated. We hold a significant amount of personal data about people who are currently employed by Key Portfolio or who were in the past, as well as those who considered joining at some point. We take our responsibility to these individuals seriously.

What we’ve done so far

Our first step was to audit the personal data that we hold across our business. This involved listing all the different types of data we collect or have collected in the past – including email addresses, National Insurance numbers and copies of ID – and identifying where it came from. For example, if we have a person’s contact details we may have got them directly from the individual when they joined Key Portfolio or they may have been passed to us by a recruiter when they recommended us to their candidate.

This stage of our audit is complete and we’re now in the process of documenting how we use each piece of information, so that we can determine what lawful basis we have for processing it. To give you an idea – at one end of the scale, we can pass an employee’s address onto our pension provider for the purposes of auto-enrolment because we have a legal obligation to do so. And at the other end of the scale, our ability to use a person’s email address to serve them targeted adverts on social media is only okay if we have their consent. It’s important that we fully understand these differences before we proceed.

What’s next?

Our audit will be complete by the end of this year. Then, our next steps will be to review where and how we need to change our processes and policies to ensure we are fully compliant with the new regulation by May 2018. This will include making sure that where we share data with you, such as for payroll purposes or referring candidates to our service, it’s done with the candidate’s knowledge and that an audit trail is in place to support this.

Among other changes, we expect our review to result in the release of an updated privacy notice and the addition of more transparent wording on our forms to explain exactly how we will use any data submitted to us.

We anticipate that this article will be followed by a more detailed update as we approach implementation, and we’ll certainly consult with you in plenty of time about anything that we need to start doing differently.

In the meantime, if you need anything specific from us in relation to the GDPR, just let us know. Or if you have any plans of your own that you think might affect the way we work together, we’d appreciate a heads up about that too.