General Data Protection Rules

General Data Protection Rules

We are aware of the changes to Data Protection rules as we move to the EU’s general data protection rules. Fortunately for us the changes are minimal because we have built data protection and security at the heart of our systems from the day Focus4People Ltd was formed.

Many of the requirements of GDPR have been in place and well established at Focus4People when the rules to follow were defined by the Data Protection Act 1988.

The Information Commissioner’s Office, the ICO are the regulating authority and we work on the basis that if the information commissioner is happy then we are happy, so we follow the advice detailed on the ICO website. We are impressed by their website which does present information in a very readable form.

For example we meet all the security requirements and more:

  1. We intentionally don’t use memory sticks and our computers are set up to prevent them being installed.
  2. We have separate work mobiles so our project managers don’t accidently take personal data home.
  3. We run frequent training courses to refresh awareness of hackers and blaggers.
  4. Business Continuity has been built into our system for some time now. If our server was to fail we have fall-over provision.

The ICO champion “privacy by design,” which we fully endorse and which has been our mantra since the company was formed.

ICO - Privacy by design

We need to maintain data security for our respondents and our clients for business reasons and not just legal ones. Were we to ignore data security respondents and clients would rightly go elsewhere, so we don’t just take data protection serious we take it to heart.

Some of the new rules don’t seem to fit the business of internet based recruitment, for example, “consent.” Why? Because no-one of sound mind would go to a website waste their time registering for a specific purpose and then not consent for that data to be used for that purpose. That part of the rules was probably intended for things like free Wi-Fi providers who force you to register to use their Wi-Fi. In their case the personal information isn’t necessary to use the Wi-Fi, whereas we need the personal information to put someone on the right focus group. Consent is implied especially as respondents can unregister themselves at any time but rules are rules and we are implementing a specific request for consent.

Unlike Facebook et al, we actually don’t want respondent’s personal data but we have to have to pursue our legitimate interest in providing clients with the right people. Once we don’t need it then it ceases to be useful and becomes a security vulnerability and so it is removed as soon as possible.

We are taking the opportunity to make sure our documentation is up to scratch.

In any busy business, documentation can be overlooked and soon falls out of date and this is a good excuse to make sure we have a full set of documents and that they mirror our current situation.