On May 25, the “world’s highest standard” for data protection comes into force. Europe’s General Data Protection Regulation (GDPR) will set the gold standard in allowing individuals within the European Union to control their personal data.

To ensure there is a level playing field and comprehensive protection for EU citizens’ data outside Europe’s borders, the GDPR also applies to any company established outside of the EU that monitors the behavior of — or offers goods or services to — consumers within the EU, regardless of whether payment is taken.

Staffing companies that recruit or supply staff from the EU, or that collect personal data relating to an identified or identifiable individual (data subjects) within the EU, must comply with the GDPR — regardless of where they themselves are based.

The GDPR introduces some new obligations on businesses and new rights for data subjects as well as significant increases to the penalties for noncompliance. But the biggest impact for businesses lies in the heightened emphasis on transparency and the requirement to obtain informed consent, where consent is appropriate.


A key document that any business collecting personal data about a data subject must provide to that individual is a “privacy notice.” This notice must be given either at the time the data is collected, if the data is provided directly by the individual, or within one month of when the data is obtained by indirect means, such as from a social media site or a purchased database.

The privacy notice must be clear and concise and provide detailed information about why you are processing their data and the legal basis for processing it.

The business must have a valid lawful basis for processing personal data; the GDPR identifies six legal bases, three of which are most applicable to staffing firms, their clients and other intermediaries:

  • Necessary for the purposes of the legitimate interests pursued by the data controller or a third party, except where these are overridden by the interests or rights of the data subject;
  • Necessary to fulfill the terms of a contract with the data subject; or
  • The individual has given clear, unambiguous informed consent to the processing.

Of these three, reliance on consent carries the greatest risk.

Clear Consent

The GDPR sets a much higher standard for consent than the existing data protection regime.

An indication of consent must be unambiguous and involve a clear affirmative action (an opt-in). GDPR specifically bans preticked opt-in boxes. It also requires individual ”granular” consent options for distinct processing operations and clear records must be kept to demonstrate consent.

Consent should be separate from other terms and conditions and should not generally be a precondition to signing up for a service or an employment contract, as it will be difficult to argue that the consent is freely given.

The GDPR gives individuals a specific right to withdraw consent, so if it is necessary to process their data for your legitimate business activities, your lawful basis for processing should not be reliant on their consent. You need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time. Relying on inappropriate or invalid consent could destroy trust and harm your reputation — and may leave you open to large fines.

Individual Rights

In addition to the right to be informed and a higher standard for consent, the GDPR puts individuals firmly in control of their data, with rights to request rectification of inaccurate or incomplete data and to have personal data erased.

Forget me. The “right to be forgotten,” as it is known, allows an individual who no longer wants his/her data to be processed to request that data be deleted. The request should be complied with, provided that there are no legitimate grounds for retaining the data, such as a legal obligation to retain information for tax purposes or other regulatory reasons.

Suppressing data. Individuals will have a right to “block” or suppress the processing of personal data when the accuracy of the data is in question, or their interests override your legitimate interests. For example, you may consider it a legitimate interest of your business to pass information about an individual applicant to a client employer. However, if the individual has a concern that they may be discriminated against if that information is sent to the client, they may suppress the transfer of that information.

Portability. A right to data portability will make it easier for individuals to transmit personal data they have provided to a controller between service providers. This latter right only applies if the basis for processing is the consent of the individual or the performance of a contract with them, and the processing is carried out by automated means. While it seems unlikely, this might be used if an individual has applied for roles online with one recruitment firm and then requests their CV details be provided to another firm. You must provide the personal data in a structured, commonly used and machine-readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data.

This enables other organizations to use the data.

Data Sharing

Under the GDPR, whenever a “controller” shares with or transfers data to a “processor,” it must have a written contract in place. Any contracts in place on May 25, 2018, must meet the new GDPR requirements.

The controller determines how and why personal data is processed and the processor carries out the processing on the controller’s behalf. Data controllers may only appoint data processors that can show they are compliant with the GDPR. Processors have specific obligations under the GDPR and may only process personal data in accordance with the controller’s instructions. These specific instructions should be set out in the contract between you, if you are a controller, and any third party carrying out processing, such as an MSP or VMS.

International Transfers

The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third-party countries or international organizations. International transfers will only be permitted if the European Commission has decided that the country or organization in question ensures an adequate level of protection; or, in the absence of such a decision, appropriate safeguards are in place; or, where the transfer is necessary for a variety of specified reasons. Alternatively, transfers are permissible with the individual’s informed consent.

Post-Brexit, the UK will maintain laws that provide adequate protection for EU citizens and have already introduced a Data Protection Bill to Parliament to that effect.

Stronger Enforcement

Organizations must notify the national supervisory authority of data breaches which put individuals at risk and notify the data subject of any high-risk breaches as soon as possible, so that they can take appropriate measures to reduce or eliminate the risk. Data protection authorities will be able to fine companies that do not comply with EU rules; in the most serious cases, such fines may reach €20 million or 4% of their global annual revenue.

Privacy by Design

The GDPR places a general obligation on businesses to promote privacy and data protection compliance when embarking on any new project and throughout its lifecycle. The concept, known as “privacy by design,” is an express legal requirement. From May 25, it is a good practice to conduct a data privacy impact assessment for all new projects, systems or policies where there is a risk of any breach of data protection, as part of your business’ overall risk management strategy.

For further information, see our report “Implementing GDPR: A Guide.”