Recruiter Accreditation Scheme

All MRS websites use cookies to help us improve our services. Any data collected is anonymised. If you continue using this site without accepting cookies you may experience some performance issues. Read about our cookies here.

Accept and continue

Cookie Settings

Collecting and recording and storing inclusive data

You are currently not logged in. Any progress made will be lost.

Next Steps: Documentation for GDPR

Next Steps: Documentation for GDPR

The documentation you need to develop and have in place to adhere to data protection requirements is as follows:

Data Inventory

To compile a personal data inventory you need to undertake the following steps:

Recording of data processing activities is now required. The data inventory summarises the types of personal data you are processing and collecting.

The data inventory needs to include all personal data that you are processing. The sorts of personal data you should be including within your inventory includes both live and static data such as:

Your database of participants and the exact data held by name, age, email address, contact numbers, marital status, etc.
Participant profiles
Pre-tasks
Bank details for incentives
Client supplied sample e.g. customer lists
Survey platform outputs e.g. if you use DIY tools you will have questionnaire responses stored somewhere on your systems

Once the personal data is identified you need to specify where the personal data is stored. For example:

PCs – drives, downloads, desktops
Mobile devices – laptops, phones, tablets
Back-up services – any outside of the country?
Emails
Paper records

If you have staff who work with you ensure you know where they store personal data collected for your business and recruitment purposes.

Review the grounds for processing the data. It is most likely to be informed consent or possibly legitimate interest, but you can not assume this will be the case. You need to be sure you have identified the correct processing grounds.

Determine who has access to the different types of personal data. Within the recruitment context this is likely to be:

Participants
Staff – full-time, part-time, casual
Third parties e.g. IT consultants, hostesses for groups

Identify the retention and deletion periods for the personal data held on your inventory.

Once the document is completed, review it regularly, and identify any personal data you no longer need to keep and once identified delete/destroy it securely.

Data Protection Policy

This document summarises your understanding of your legal obligations to data protection principles. Having a data protection policy applies to everyone in the supply-chain, even those who are freelancers or part-time.

The policy states your approach and intention for personal data, in summary rather than in detail. The policy needs to include:

Your commitment to following the principles of data protection
Who is responsible for data protection
Policies on data retention, data transfers, data breaches
Responsibilities with regard to data subject rights

Privacy Notices

Privacy notices are those statements which are directed at individuals whose personal data is being processed. In research this means participants. Privacy policies needs to include:

Who you are, where you are, what you do and how you can be contacted
Grounds for processing e.g. consent, legitimate interest
What data you collect and who you share it with
How long you keep personal data
Where you store personal data and transfer personal data – confirming if it is stored and transferred to countries in the European Economic Area or outside of this Area and if so whether these countries have suitable safeguards
How data subject rights can be accessed by individuals
How individuals can complain including contacting the relevant supervisory authority (the ICO in the UK).

Data Breach Recording

It is a legal requirement of GDPR to record personal data breaches within 72 hours of discovering a breach.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

If you have a breach you need to document:

What happened
When it happened
How many people’s data is affected
What actions were taken immediately
Who has been notified
What further actions need to be taken

Remember you only have to notify the regulator (the ICO in the UK) and individuals affected in certain circumstances.

The seriousness of a breach is linked to the harm it may cause to the rights and freedoms of individuals.

You may need to take legal advice to determine the seriousness of a breach and you may also have to notify your insurer.

Staff Training

Document all the training you do with your staff. Once staff have undertaken training, obtain signatures acknowledging that they have received and understood the training.

Your training process should include:

On induction new staff undertake separate training session detailing your data protection approach
Provide refresher training for all staff annually
Provide ad hoc training when required

The overall aim of the training is to promote a culture where data protection is important, queries are welcomed and any personal data breaches are identified and reported immediately.

If you work by yourself keep up to date with data protection, and make a record of what you have undertaken and when e.g. listening to the webinar at the top of this page, attending a course.

Resources