J&C Associates > Blog > Recruiting & Recruitment Industry

GDPR - Time is Running Out! Requirements and Deadlines


All companies are under the cosh and if they haven’t been sweating about GDPR in recent months, then they had better start sweating now.

If you’re reading this and thinking what is GDPR, then you should spare a few minutes and read what follows as GDPR has the potential to impact every person in the UK and Europe and potentially beyond. And it will definitely impact every company!


It’s all about companies that hold personal data, which is, well, all companies.

There are those ones that spam us all the time. The ones we have never, ever spoken to, never, ever signed up to and yet somehow, they have collected and scraped our data or even bought it from unscrupulous companies that happily sell our personal details.

So, the key tenet of GDPR is to give control back to us (the citizens and residents)! Hooray! We can demand to know what data companies hold on us and we can demand that they delete it.

And, under GDPR, all of us in Europe will abide by the same laws and even though the UK is on the Brexit path, GDPR will remain and replaces our previous Data Protection Acts.

So, at first, you may well think this is a good thing! I know I did. But do you know what, whenever I do find two minutes in the day to spare, the last thing I think about is contacting a company to demand to know what details they hold on me and that they delete my details, because in reality it will just take too long. I will add them to my spam folder and I will certainly spare the Nano-second it takes to delete the email.

The there are those idiot companies that specialise in sending nothing but spam from untraceable emails addresses and they will never be hunted down and fined (see below) because they have no money so the fine will therefore be meaningless.

The companies that make aggressive cold calls to me and you, or target the elderly should be stopped but they are often hard to find and have an uncanny ability to disappear…probably when the fine is actually due.

So here is the kicker... who will pay the fines? Because fines for real companies can be €20 million or 4% or annual global turnover – whichever is higher. So all companies, particularly the legal, law-abiding ones had better sit up and take notice.

These are serious fines and serious money and rest assured, The Information Commissioner’s Office https://ico.org.uk/ will look to make an example of a big-name company for two reasons. Firstly, they will look pretty inefficient if they don’t. The huge song and dance about GDPR has to be taken seriously and the only way to make people take it seriously is to slap someone with a fine. Secondly, the ICO is about to lose all their income from the annual fees they have been charging to all companies (£35 for companies with fewer than 250 employees including charities or £500 for those companies with more than 250 people). The shortfall here will be about £20m – yes £20m that companies currently pay to the ICO to then allow the ICO to check on them! Last year 44 fines were issued, which pulled in just over £3m.

However, I would suggest that companies that have registered with the ICO and pay the annual fee (we do) are not the ones engaging in spamming and would never, ever sell their data to another company. Even if they don’t comply with every letter of the legislation they are not deliberately heaping misery on innocent people and offering them irrelevant services that they never wanted.

Given the laws coming in, every reputable company is investing a huge amount of time and burning chunks of their profit just to stand still and remain compliant. And we were never the ones spamming or doing anything illegal.

Every industry and every company will be massively impacted whether they email their client/customer base or not. The mere fact that you have employees means they too can demand to know what data you hold on them. And then they can demand you delete it unless you can prove you are holding it for a valid and legal reason.

The recruitment industry as a whole will be massively impacted. After all, we collect information on candidates and contact them with job opportunities. We exist to service our clients with candidates and our candidates with clients. We are all about data, but now we will have to re-validate the data we hold at alarmingly short intervals.

What does “short” mean? Well your guess is as good as mine. While it has taken forever to finalise the wording of GDPR (it goes live in May 2018) some of the wording is still not finalised and better still there is NO DEFINED definition of how often you should re-contact your database.

GDPR just says you shouldn’t keep it longer than necessary, longer than reasonable, longer than a piece of string. So as long as a company can reasonably justify their thinking, then they may or may not reprimand or fine you. Maybe if they have a good, strong legal team then they will be fine. Smaller companies beware!

Take GDPR seriously – it will impact you and certainly your organisation.

Below follows a definition of GDPR and some useful links including the 12 steps to GDPR nirvana.

Live. Love. Enjoy GDPR




"The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) of 1995. The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable."

"The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonisation of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover."

More like this? Recruiting & Recruitment Industry (9)

Or just browse: previous | next