Intended Change to Management of Personal Data to Comply with GDPR

25 February 2018

The new EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018 along with the UK Data Protection Act 2018. The following summarises Sopra Steria Recruitment’s (SSR) existing compliance under the Data Protection Act 1998 and our intent with regard to implementing changes in line with GDPR requirements.

Sopra Steria Recruitment – Current Scope of Use of Personal Data

To operate effectively as an Employment Business and as an Employment Agency, SSR must hold information on or contracts with:

  • candidates requiring work-seeking services
  • customer organisations and their employees involved in utilising recruitment services and contracting with SSR for Limited Company workers
  • suppliers in the form of recruitment companies supporting our business
  • suppliers in the form of Limited Companies and their employed worker(s)
  • suppliers in the form of technology providers, job-boards and other advertising media

Current management of Data Protection and Privacy:

  • all personal data in the above scope is held and processed in line with the Data Protection Act 1998
  • all data is managed securely in line with ISO27001 certification
  • consent to share candidate data with clients for specific opportunities is sought and recorded
  • principles of Engagement explained, in advance of candidate registration, including how the candidate data will be stored, utilised and protected
  • data is only held, retained and processed to enable the effective operation of the recruitment service required by customers and work seeking services required by candidates
  • where external providers are utilised to enable processing of personal data for our recruitment services, such as payments and billing, the data is protected through appropriate DPA agreements
  • subject Access Requests are processed in line with the requirements of the Data Protection Act

Intended Change To Ensure Compliance With General Data Protection Regulation

It is Sopra Steria Recruitment Limited’s intent to implement processes, controls, communications and employee education to ensure that all Personal Data held for the purpose of providing Recruitment Services to Customers and Candidates will be protected and processed in line with GDPR.

Our approach to transition from existing mechanisms under the auspices of the Data Protection Act 1998 encompasses (among other things) the following aspects of the new Regulations:

  • ensuring we have a lawful basis to utilise contractors’ (including applicants’) personal data for effective provision of services to them and to our customers
  • providing transparency to data subjects to ensure clarity on how and why their personal data will be stored, processed, passed to relevant organisations and retained. A lawful basis for managing their personal data in this way will be recorded.
  • similarly, requests from individuals under the new data subject rights will be dealt with as required or permitted under GDPR
  • providing individuals with the opportunity to correct their data to ensure accurate representation at all times
  • providing the facility for individuals to reuse and export their personal data as required
  • ensuring Data Security is maintained and, where necessary, enhanced to protect data in the new GDPR model

As part of our methodology for transitioning from our existing DPA 1998 compliant model to compliance with GDPR 2018, we have already:

  • identified all of the personal data types held across all aspects of our operations and whether SSR is Controller or Processor
  • defined a revised Data Governance function to establish the change programme required to transition successfully,

And, we are well on the way to

  • scoping a full suite of changes to processes, controls and communications under the oversight of the Data Governance function
  • communicating to all stakeholders (Employees, Data Subjects, third party providers and other organisations)
  • implementing the change programme.

More information on our progress towards compliance with GDPR will be made available as we move through our change programme.

Peter J Holliday
Managing Director
Sopra Steria Recruitment Limited