What is GDPR and why is it so important to follow

The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. This article will explain what GDPR is, what is involved and what the consequences are if not followed.

GDPR is a mandatory regulation for companies handling European data. GDPR signals Europe's hard stance on data privacy and security at a time when more individuals are committing their personal data to cloud services and data breaches are becoming more common. GDPR compliance can be a scary concept, especially for small and medium-sized businesses, because the law is broad, far-reaching, and lacking in specifics (SMEs).

Even if you're not in the EU, the GDPR applies to you if you process the personal data of EU citizens or residents, or if you offer products or services to them. The penalties for breaking the GDPR are extremely harsh. There are two levels of fines, the highest of which is €20 million or 4% of global sales (whichever is greater), plus data subjects have the right to seek damages compensation.

Key GDPR definitions:

• Personal data is any information that can be used to identify an individual, either directly or indirectly. Personal information such as names and email addresses is obvious. But personal data can also include things like ethnicity, gender, biometric data, religious convictions, web cookies, and political attitudes. If it's straightforward to identify someone from pseudonymous material, it can also be included in the definition.

• Any action performed on data, whether automatic or manual, is referred to as data processing. Collecting, recording, arranging, organising, storing, using, erasing... virtually anything.

• The individual whose data is being processed is known as the data subject. These are your site visitors or customers.

• The person who decides why and how personal data will be processed is known as the data controller. This is you if you're a data-handling owner or employee in your company.

• A third party that processes personal data on behalf of a data controller is known as a data processor. For these individuals and organisations, the GDPR has specific rules. Cloud servers like Tresorit or email service providers like ProtonMail could be among them.
  

GDPR set out 7 key principles. These are;

1. Lawfulness, fairness and transparency - Processing must be legal, fair, and transparent to the data subject.

2. Purpose limitation - When you gather data, you must process it for the legitimate objectives you told the data subject about when you collected it.

3. Data minimisation - You should only collect and analyse as much data as is strictly necessary for the stated purposes.

4. Accuracy - All Personal information must be correct and up to date.

5. Storage limitation - You may only keep personally identifying information for as long as it is required for the stated purpose.

6. Integrity and confidentiality (security) - Processing must be done in a way that ensures the security, integrity, and confidentiality of the data (e.g. by using encryption).

7. Accountability - All of these principles must be demonstrated by the data controller in order to establish GDPR compliance.

Examples of GDPR consequences

Since the GDPR took effect in 2018, we have seen over 800+ fines across the European economic area and the UK. In 2021 GDPR fines nearly hit €1 billion with Amazon being the biggest, facing an enormous fine of €746 million. Other established companies that have faced astonishing GDPR fines are Google (€50 million), H&M (€35 million), British Airways (€22 million) and many more.

WhatsApp was another firm that faced a large fine in 2021, as the Irish data regulator – the data protection commission (DPC) – fined WhatsApp a record €225 million for a series of cross-border data protection infringements under the general Data Protection Regulations (GDPR) on the 20th of August 2021. Ireland claimed that the messaging service's privacy notice failed to appropriately clarify its data processing procedure and explain its legal basis for some data processing—"legitimate interests"—in the privacy notice. WhatsApp should have published privacy information in an easily accessible format and in a language that its users could comprehend if they wanted to avoid the penalties. If you're going to rely on "legitimate interests," make sure you describe what those interests are for each processing step.

How does VettingGateway ensure GDPR compliance when reference checking?

As a processor, VettingGateway complies with all the obligations laid out within the GDPR. This includes only processing data on the instruction of a controller, and implementing appropriate technical and organisational measures to ensure the security of personal data.

VettingGateway has enabled the right to portability, and the right to be forgotten, by the user opting in and out. Users are also able to request their data within the applicant portal.

It is important to remember that whenever you are starting a reference check, you must get consent from the candidate and make them aware of every type of background check you intend to run. If they do not consent to any of these checks, you would be within your rights to terminate their applications since they are a requirement of the recruitment process. You should however ensure that you are only running the number of checks required for the role and are therefore ensuring legitimate interest.

VettingGateway is a fully GDPR compliant vetting tool, so if you are looking for an easy-to-use online background checking system then get in contact with our team to learn more, or sign up for a free seat licence and three free reference check today.

The information Provided by VettingGateway in this blog was published on the 25/01/2022, all information was relevant at the time of publishing however as our landscape is forever changing this information may not remain valid.