You are likely aware that on May 25, 2018, a new data privacy law introduced in Europe called the General Data Protection Regulation (GDPR) came into force, impacting how businesses collect and process data.
GDPR empowers people to take control of their data.
Your data subjects (Candidates and Clients) will dictate and decide how their data should be processed. GDPR is a regulation that came into effect on 25th May 2018, although it has been introduced much before to give businesses time to prepare for it.
Regardless of Brexit, all UK organizations handling personal data will need to comply with the GDPR because of The Data Protection Bill that is coming into effect soon.
GDPR centers around protecting people’s data and ensuring that the public is made aware of the purpose of why a business is keeping their data but also asking for their consent to do so – this is crucial. The idea is that as soon as a member of the public gives their information away they are made aware of what the purpose is be it simply storing and processing, mass-marketing, surveys, or otherwise.
The public should also be made aware of how long you plan to keep their data; this has been defined as 'for no longer than is reasonably necessary for the specific purpose laid out in the initial sign-up. This does leave somewhat to the imagination, but it can be interpreted as if you were to keep a person's data to find them a job then having found them a job you would have to ask for a 2nd permission to continue holding the data. Therefore, data cannot be held indefinitely.
You must also specify the length of time that you wish to keep the data for. For example, it could be appropriate to tell the applicant that you will keep the data for 1 year and then seek their approval again after that time has run out.