Skip to main content
All CollectionsGDPR
GDPR Compliance Guide
GDPR Compliance Guide

Simplified GDPR Compliance Guide: General Principles for Recruitly UK Ltd.

Updated over a week ago

Simplified GDPR Compliance Guide for Recruitly UK Ltd

General Principles

  1. Lawful Basis for Processing

    • Consent: Collect clear, informed consent for marketing.

    • Contractual Necessity: Process data to fulfil orders and services.

    • Legal Obligation: Comply with laws (e.g., tax, financial regulations).

    • Legitimate Interests: Process data for business needs like marketing and fraud prevention, ensuring these don’t override individual rights.

    • Documentation: Keep records of the lawful basis for data processing and update privacy policies to inform customers.

  2. Data Subject Rights

    • Access: Provide an easy way for individuals to see and download their data.

    • Rectification: Allow updates to incorrect or incomplete data.

    • Erasure: Offer a process to delete data upon request if conditions are met.

    • Restriction of Processing: Temporarily limit data processing if requested.

    • Data Portability: Provide data in a machine-readable format like CSV or JSON.

    • Objection: Allow opt-out from marketing and other processing activities.

    • Automated Decision Making: Inform and provide recourse against automated decisions affecting individuals.

  3. Data Protection by Design and by Default

    • During Design:

      • Conduct Privacy Impact Assessments (PIAs).

      • Minimise data collection.

      • Anonymise or pseudonymise data.

    • Default Settings:

      • Use the highest privacy settings by default.

      • Require opt-in for data processing.

    • Ongoing Practices:

      • Regularly review data protection measures.

      • Train employees on data protection principles.

  4. Data Security

    • Technical Measures:

      • Encrypt data.

      • Implement strict access controls.

      • Regularly update security patches.

      • Use intrusion detection systems (IDS).

    • Organisational Measures:

      • Develop comprehensive data protection policies.

      • Establish an incident response plan.

      • Conduct regular security audits.

      • Ensure third-party vendors comply with data protection requirements.

Accountability and Governance

  1. Data Protection Officer (DPO)

    • Requirement Assessment: Determine if a DPO is needed based on data processing activities.

    • Appointing a DPO: Ensure the DPO has expertise in data protection laws and practices, and provide them with the necessary resources and independence.

  2. Records of Processing Activities

    • Documentation: Maintain detailed records of all data processing activities.

    • Regular Updates: Periodically update records to reflect changes.

  3. Data Protection Impact Assessment (DPIA)

    • High-Risk Activities: Identify activities requiring DPIAs.

    • Conducting DPIAs: Follow a structured process to assess and mitigate risks.

Breach Notification

  1. Preparation and Detection

    • Incident Response Plan: Develop and maintain a plan for addressing data breaches.

    • Detection Mechanisms: Implement tools to detect breaches promptly.

  2. Notification to Authorities

    • 72-Hour Notification: Notify the relevant authority within 72 hours if a breach occurs.

    • Content of Notification: Include details about the breach, its consequences, and measures taken.

  3. Notification to Individuals

    • High-Risk Notification: Inform affected individuals if their rights are at high risk.

    • Content of Notification: Provide clear information about the breach and protective measures.

International Data Transfers

  1. Safeguards

    • Standard Contractual Clauses (SCCs): Use SCCs for transfers to non-EU countries.

    • Binding Corporate Rules (BCRs): Implement BCRs for intra-group transfers.

    • Adequacy Decisions: Transfer data to countries with an adequacy decision from the European Commission.

  2. Documentation and Monitoring

    • Impact Assessments: Regularly review and document international transfers.

    • Audits: Conduct periodic audits to ensure compliance.

Consent Management

  1. Obtaining Consent

    • Clear Opt-In: Require a clear, affirmative action for consent.

    • Detailed Information: Provide detailed information about data processing purposes.

  2. Managing Consent

    • Record Keeping: Maintain records of obtained consents.

    • Easy Withdrawal: Ensure individuals can easily withdraw consent.

Vendor and Partner Management

  1. Data Processing Agreements

    • Contractual Clauses: Include GDPR-compliant clauses in contracts with data processors.

    • Due Diligence: Assess vendors’ compliance with GDPR before entering agreements.

  2. Monitoring and Review

    • Regular Audits: Audit vendors and partners regularly.

    • Compliance Documentation: Maintain records of all vendor agreements and compliance checks.

Training and Awareness

  1. Training Programmes

    • Regular Sessions: Conduct regular GDPR training for all employees.

    • Specialised Training: Offer specialised training for those handling sensitive data.

  2. Awareness Campaigns

    • Ongoing Communication: Implement communication strategies to keep data protection a priority.

    • Resources and Support: Provide access to GDPR resources and support for employees.

Supervisory Authority Interaction

  1. Proactive Engagement

    • Point of Contact: Designate a contact for communications with supervisory authorities.

    • Notification Procedures: Establish procedures for notifying authorities of breaches and other issues.

  2. Response to Requests

    • Timely Cooperation: Respond promptly to requests or investigations.

    • Documentation: Maintain detailed records of interactions with authorities.

Did this answer your question?