Simplified GDPR Compliance Guide for Recruitly UK Ltd
General Principles
Lawful Basis for Processing
Consent: Collect clear, informed consent for marketing.
Contractual Necessity: Process data to fulfil orders and services.
Legal Obligation: Comply with laws (e.g., tax, financial regulations).
Legitimate Interests: Process data for business needs like marketing and fraud prevention, ensuring these don’t override individual rights.
Documentation: Keep records of the lawful basis for data processing and update privacy policies to inform customers.
Data Subject Rights
Access: Provide an easy way for individuals to see and download their data.
Rectification: Allow updates to incorrect or incomplete data.
Erasure: Offer a process to delete data upon request if conditions are met.
Restriction of Processing: Temporarily limit data processing if requested.
Data Portability: Provide data in a machine-readable format like CSV or JSON.
Objection: Allow opt-out from marketing and other processing activities.
Automated Decision Making: Inform and provide recourse against automated decisions affecting individuals.
Data Protection by Design and by Default
During Design:
Conduct Privacy Impact Assessments (PIAs).
Minimise data collection.
Anonymise or pseudonymise data.
Default Settings:
Use the highest privacy settings by default.
Require opt-in for data processing.
Ongoing Practices:
Regularly review data protection measures.
Train employees on data protection principles.
Data Security
Technical Measures:
Encrypt data.
Implement strict access controls.
Regularly update security patches.
Use intrusion detection systems (IDS).
Organisational Measures:
Develop comprehensive data protection policies.
Establish an incident response plan.
Conduct regular security audits.
Ensure third-party vendors comply with data protection requirements.
Accountability and Governance
Data Protection Officer (DPO)
Requirement Assessment: Determine if a DPO is needed based on data processing activities.
Appointing a DPO: Ensure the DPO has expertise in data protection laws and practices, and provide them with the necessary resources and independence.
Records of Processing Activities
Documentation: Maintain detailed records of all data processing activities.
Regular Updates: Periodically update records to reflect changes.
Data Protection Impact Assessment (DPIA)
High-Risk Activities: Identify activities requiring DPIAs.
Conducting DPIAs: Follow a structured process to assess and mitigate risks.
Breach Notification
Preparation and Detection
Incident Response Plan: Develop and maintain a plan for addressing data breaches.
Detection Mechanisms: Implement tools to detect breaches promptly.
Notification to Authorities
72-Hour Notification: Notify the relevant authority within 72 hours if a breach occurs.
Content of Notification: Include details about the breach, its consequences, and measures taken.
Notification to Individuals
High-Risk Notification: Inform affected individuals if their rights are at high risk.
Content of Notification: Provide clear information about the breach and protective measures.
International Data Transfers
Safeguards
Standard Contractual Clauses (SCCs): Use SCCs for transfers to non-EU countries.
Binding Corporate Rules (BCRs): Implement BCRs for intra-group transfers.
Adequacy Decisions: Transfer data to countries with an adequacy decision from the European Commission.
Documentation and Monitoring
Impact Assessments: Regularly review and document international transfers.
Audits: Conduct periodic audits to ensure compliance.
Consent Management
Obtaining Consent
Clear Opt-In: Require a clear, affirmative action for consent.
Detailed Information: Provide detailed information about data processing purposes.
Managing Consent
Record Keeping: Maintain records of obtained consents.
Easy Withdrawal: Ensure individuals can easily withdraw consent.
Vendor and Partner Management
Data Processing Agreements
Contractual Clauses: Include GDPR-compliant clauses in contracts with data processors.
Due Diligence: Assess vendors’ compliance with GDPR before entering agreements.
Monitoring and Review
Regular Audits: Audit vendors and partners regularly.
Compliance Documentation: Maintain records of all vendor agreements and compliance checks.
Training and Awareness
Training Programmes
Regular Sessions: Conduct regular GDPR training for all employees.
Specialised Training: Offer specialised training for those handling sensitive data.
Awareness Campaigns
Ongoing Communication: Implement communication strategies to keep data protection a priority.
Resources and Support: Provide access to GDPR resources and support for employees.
Supervisory Authority Interaction
Proactive Engagement
Point of Contact: Designate a contact for communications with supervisory authorities.
Notification Procedures: Establish procedures for notifying authorities of breaches and other issues.
Response to Requests
Timely Cooperation: Respond promptly to requests or investigations.
Documentation: Maintain detailed records of interactions with authorities.