What is GDPR?
From 25 May 2018 the General Data Protection Regulation (GDPR) will impose greater data protection obligations on organisations whilst giving more rights to individuals in relation to how their personal data is processed.
What is Personal Data?
Personal data is data that can identify you as a living individual. There is general personal data such as name, address, National Insurance number and online identifiers/location data. There is also sensitive personal data which includes information on physical and mental health, sexual orientation, race or ethnic origin, religious beliefs, trade union membership and criminal records. Sensitive personal data must be protected to a higher level.
How did Lusona Consultancy get your personal data?
You may have applied directly to us or we may have found your details from a job board or social networking site. We can process your data if we have a legal basis for doing so. There are 6 legal bases for processing data but we are likely to rely on (1) your consent, (2) to comply with a legal obligation that we have, (3) that we have a legitimate interest in processing your personal data or (4) to fulfil a contractual obligation that we have with you. Different conditions apply to each of these legal bases.
What should Lusona Consultancy tell you about personal data?
- Our contact details
- Why we are processing your data and what is our legal reason for doing so
- If we are relying on legitimate interests, what those legitimate interests are
- How long we will store your personal data for
- That you have a right to request that we correct any incomplete or inaccurate data about you
- That you have the right to request that we erase your personal data
- That you have a right to complain to the Information Commissioner’s Office (ICO)
- That if you have given any specific consent(s), you can also withdraw any specific consent(s)
- Whether we will use automated decision-making / profiling to assess suitability for specific roles
What are your data protection rights?
- Right to informed consent - for your consent to be valid you must know what you are consenting to. To give valid consent you must give a positive indication of your consent, such as by ticking a box - we cannot accept your silence as consent or use a pre-ticked box. However consent is not the only legal basis that we can use to process your data. If we do not need consent to process your data we will not ask for it.
- Right to withdraw a specific consent - if you have given a specific consent you will have the right to withdraw that specific consent. We will have to stop processing the data that you gave us but we can continue to process other data if we rely on another legal reason for doing so.
- Right to object - you have the right to object to your data being processed. We can then only process your data if we have a compelling legal ground to do so.
- Rights in relation to automated decision making - you have a right not to be subject to a decision based on automated processing unless you have given your explicit consent. However, we will not need your consent if the process is not fully automated.
- Right to make a Subject Access Request (SAR) - if you make a SAR then we should respond to you within one month, this can be extended to a further 2 months in certain circumstances. We should not charge you to respond to your SAR unless for example you have made repeated requests for the same information. Lusona Consultancy could refuse to comply with your request for the same reasons.
- Right to data portability - where technically possible, you have a right to have your personal data transferred directly from one organisation to another. However, this does not include having your data passed to another organisation without your knowledge.
- Right of rectification of inaccurate or incomplete data - you have the right to request that we correct any incomplete or inaccurate data we hold on you. We should respond to your request within one month.
- Right to erasure - this is also known as the right to be forgotten. You can request that the organisation remove all your personal data. However, this is not an absolute right - the organisation can keep your personal data if they have a legal reason for doing so. If you ask for your data to be erased we may ask whether you just do not want to hear from us for a period of time or whether you want your data to be permanently deleted? As organisations cannot keep lists of people whose data they have deleted, we may still contact you if later on we find your details on a jobs board or a social networking site. If you have requested for your data to be forgotten we should tell any third parties that we have passed your data to, that you have filed a request to erase. They must also do the same. Agencies are required to keep certain records such as ID or right to work checks and payroll records for certain periods of time. These obligations will override any request to erase data or any objection to processing for so long as we must keep the data.
- Direct marketing - an organisation must have your express consent to send you direct marketing.
- Personal data breaches - if we suffer a data breach eg a loss of theft or personal data, we must inform the ICO. If there is a high risk to you, we must also tell you.
Further information about data protection can be found on the https://ico.org.uk.