GDPR FAQs

Initially, we recommend you look at the ICO website. There is a good section for small businesses. Please also see our privacy policy and terms and conditions for more information.

Please be aware, whilst StepStone is doing everything it can to assist you, as our customer, we are not a law firm and highly recommend you seek legal advice to ensure you are compliant with GDPR.

What does it mean for your business?

1. What does GDPR stand for?

GDPR is short for the ‘General Data Protection Regulation’. It looks like a law set to overhaul Europe’s, and as a result the world’s, entire data privacy framework. GDPR comes into force on the 25th May 2018.

2. What are the GDPR requirements?

GDPR is a key piece of legislation for Europe and subsequently, the rest of the world. All organisations and businesses need to consider the legislation in the whole and conduct an analysis of the impact of GDPR on their activities. Some of the most significant requirements are as follows:

Many organisations and businesses will need to appoint a Data Protection Officer. This applies to those companies who regularly and systematically process personal data or monitor data subjects.

  • Transparency is vital. You are under a duty to be upfront with customers, employees and others about how their data is processed. This means you have to know what you do and why, and be able to convey that in a clear and comprehensive manner.
  • Data Privacy Impact Assessments (DPIAs) will become a fact of life. Where any new or existing data processing activity will result in a high risk to the rights and freedoms of individuals, companies will be required to carry out a systematic review of how best to safeguard those rights.
  • Deletion and portability. Businesses and organisations need to be able to delete data when no longer necessary, and transfer it elsewhere if requested by the people it refers to. You will need to ensure that your systems designed to make that possible.
  • Privacy by design and default. These are safeguards to ensure the protection of personal data is hardwired into your processes and systems.
  • Accountability. Being compliant isn’t enough. You have to show that you are abiding by the rules. This includes maintaining an up-to-date register of data processing activities. In the event of a security breach, it also involves being able to give a full account of what happened and the preventative measures you had in place when reporting that breach.

3. What happens if my company is not compliant with GDPR?

Please be aware, whilst StepStone is doing everything it can to assist you, as our customer, we are not a law firm and highly recommend you seek legal advice to ensure you are compliant with GDPR.

Most of you have heard the fines have changed:

For serious breaches (e.g. a major security breach where the organisation had woefully inadequate protective measures in place), the maximum administrative fine is up to 4% of global turnover or EUR 20 million, whichever is higher.

For other breaches (e.g. inadequate record keeping or failure to report a breach), regulators will have the power to issue penalties of up to 2% of global turnover or EUR 10 million.

Also, there is a direct right of action for data subjects to claim compensation from the data controller or processor. So, if data has been incorrectly held or used and the individual has suffered damage, firms could find themselves being hit by legal action.

Finally, there is the possible reputational repercussions of non-compliance. Sanctions and major fines issued by the regulator will be information in the public domain. Staying compliant is crucial for any business seeking to maintain their reputation as a safe pair of hands in the digital marketplace.

4. Who does GDPR apply to?

GDPR applies to natural or legal persons, public authorities, agencies or other bodies processing personal data (processing in the course of exclusively personal/household activities is excluded).

How GDPR in detail affects you depends on the nature of your processing activities, but regardless of size and shape of your business, chances are you are in scope.

If you are not sure whether GDPR applies to you, it is best to assume that it does and seek legal advice.

5. How does GDPR impact businesses outside of the EU?

Businesses based outside the EU need to comply with GDPR if they process, manage or store personal data related to data subjects in EU, or if they process personal data on behalf of EU businesses. So, no matter where you are based, if you do business in or with people and organisations in the EU, you need to ensure your business is GDPR compliant.

6. How should my business prepare for GDPR?

Becoming compliant does not happen overnight. This is especially the case if you need to put new procedures in place. Steps you can take include:

  • Build awareness. From board level to on-the-ground IT, ensure that decision makers and key staff are aware that the law is changing. All individuals involved in the GDPR-readiness project should be aware of their responsibilities – what they need to do and when. This will help avoid a last minute scramble as the implementation date approaches.
  • Map your data. What personal data do you hold? What is its purpose? Where is it stored? Where did it come from and who do you share it with? For this type of fundamental data audit, having the right tool in place to help you map, visualise and manage your data can make life so much easier.
  • Appoint or designate a Data Protection Officer. Decide who will take responsibility for compliance and where this role will sit within your organisational structure. For larger organisations this will involve appointing at least one DPO, for smaller organisations, this will involve formally designating a Data Protection Officer, for one-man band businesses, you will need to start to understand GDPR.
  • Review your security breach prevention procedures. This will involve a security audit to ensure that the data protection measures you have in place are adequate. Make sure you have the right procedures in place to detect, respond to and report breaches in accordance with the Regulation.
  • Review and refresh your consent procedure. Look at how you obtain, record and manage consent. Consider whether any changes will be needed to your existing procedures in good time for GDPR implementation. The same applies to your current privacy notices.
  • Give consumers their rights to data. You will have to provide certain information to the individuals if you process personal data about them and you will have to facilitate the ability of individuals to exercise their rights. If a customer asks for a copy of the data you hold on them, will you be able to provide it? What happens if someone asks you to delete or transfer their data to another party? Review your infrastructure and procedures to ensure that if you receive such requests, you are able to comply.

GDPR and StepStone

1. Who is responsible for complying with GDPR?

Initially, StepStone is a data controller and we are responsible for the data processing on our websites. Candidates search our website and provide us with GDPR-applicable “consent” (by way of contract, legitimate interest or consent) to allow you our customers to contact the candidate for the specific job listing or to access their CV from our CVDB. When you contact the candidate to help them apply for a job or download their CV from our CVDB you become a data controller. At this point you as data controller are required to comply with GDPR and will also have to ensure that you give the individuals their rights. Particularly, you will have to provide certain information to them and, if you would like to use candidate data for any other purpose than filling a specific vacancy, you will have to obtain your own form of GDPR approval to continue to use the candidates’ personally identifiable information.

2. Do we have adequate GDPR consent?

There are many grounds of processing. You will see in our Privacy Policy we use contract, consent, legitimate interest and necessary legal reasons. When you use our listings to help candidates get jobs, or you access our CVDB to see a candidates’ CV, you can rely on our grounds of processing to contact the user for the purpose of filling a specific vacancy. For anything beyond this point you need to obtain additional “consent” and request their permission to use their personal information.

3. Where do we store users’ data?

We are a multinational company with offices worldwide. For our subsidiaries based in the EEA, we store our data within the EEA. Where our companies are not based in the EEA we also ensure adequate levels of protection via data processing agreements or Privacy Shield certification, or are in the process of obtaining such certification.

4. What security measures do we have in place?

All production data is stored in a secure web hosting environment with restricted access. We have regular risk reviews, external penetration test on the environments and internal audits.

5. Do you have any other questions?

Don’t hesitate to contact us at dataprotectionofficerUK@stepstone.co.uk and we will endeavour to answer any additional questions. However, please note that we will be unable to offer legal advice to your business.