David Allison reviews the challenges of new data rules for businesses and training providers
GetMyFirstJob, like many other organisations across UK and Europe, are working through the necessary steps for implementation of the new data law, GDPR*. It’s been fascinating to watch the way in which the issues are being raised and communicated across industries and the media, and the lack of clarity that exists in many quarters. It was intriguing that the ICO** themselves only published guidance on some fundamental points in the final days before Christmas.
The result of these two factors has led to confusion – and incorrect advice in some cases. I was on a call with one of our customers discussing their approach to GDPR and careers advice when their external GDPR ‘consultant’ started quoting information that was totally incorrect – we were fortunate enough to be able to help, provide the correct guidance and factual clarity. With fines of up to €20 million or 4% of annual global turnover, this has significant implications if it is not implemented correctly.
As we are working through the issues with many customers as well as our own in-house teams, it’s increasingly clear that GDPR is not that complicated, but does require some strong business disciplines with appropriate systems to ensure compliance. For most providers and colleges ensuring their core business meets GDPR requirements should not be difficult. In many ways, one of their core competencies is compliance – Ofsted and the ESFA have long since installed in all of us in the sector the need for clear rules, good records and standardisation.
It's when you move outside the core areas that compliance can be more challenging. We’re obviously very focused on the acquisition, storage and use of candidate data. For organisations that have a strong central system that follow the main points of GDPR, this should not be a problem:
- Clear statements, written with young people in mind, that explain what data is stored, for how long and for what use.
- The ability to access their portable digital file – with all information in it – in a straightforward and timely way.
- The right to anonymity – the ability to ensure that all data held about them for processing is removed or made anonymous
To help our customers, we’ve identified a few common pitfalls:
- The transfer of data from one system to another without consent. Candidates applying via one site, and then being re-keyed/imported into a second without explicit consent
- The use of excel spreadsheets to store and search for candidate data in a way that you can’t comply with (2) or (3) above, and can’t prove how consent was gained for (1)
- The transfer of candidate data into SMS or email systems without permission so that you can’t address the three points above.
We’ve now invested a lot of time and energy to ensure that all our customers can continue to work with employers and candidates in a GDPR compliant way. In the coming weeks we’ll be sharing information about how we have done this as well as providing checklists to help you identify those hidden excel spreadsheets & communication platforms that would put you in breach of GDPR.
Don’t forget – we’re here to help. If you want to talk through how you could benefit from a system that will help you provide insight to employers about their future talent as well as selecting and engaging with candidates in a GDPR compliant way, please contact me at dallison@gmfj.co.uk for more information.
*GDPR - General Data Protection Regulation
**ICO - Information Commissioner's Office
