Data recording, security, storage and destruction

This includes paper, digital, audio or visual recordings.

The Data Protection Act was written to be technology neutral and doesn’t specify the use of any particular technologies as these frequently change. The GDPR requires you to process personal data securely using appropriate technical and organisational measures.  What is suitable and appropriate for you to do depends on your circumstances (particularly as most recruiters are small businesses and/or freelancers).  However you must also consider the data you are processing and the risk posed.  For example if you process a lot of special category data, e.g. if you do a lot of political polling and collect political opinions (which are special category data), a higher level of protection would be expected.

You should have a Data Protection Policy which lists procedures about data recording and security, your organisational security, physical security and computer security.  All staff, part-time and casual workers  included, must be trained on data security at induction and refresher training should be completed at least annually.  The Resources section has a number of templates and guidance documents to assist you with your GDPR requirements.