HR managers and recruiters are putting their employers at risk of penalties of up to £17.5m (20 million euros) under imminent data protection new law by failing to destroy sensitive data contained within job applicants’ CVs, according to a secure and bulk shredding contract company.
The General Data Protection Regulation (GDPR), which comes into force on Friday, May 25, will apply to all companies that process personal data of European Union citizens.
CVs and application forms can reveal personal data about the subject including their home address, middle names and national insurance number — and sometimes even sensitive information, such as their physical or mental health condition and previous criminal convictions. And since it’s customary for HR managers to print the CVs of prospective employees prior to interviewing them, they’re risking serious data breaches — and therefore hefty fines — unless they properly destroy the documents afterwards. This comes after Facebook finds itself the latest to be in a data breach affair.
Organisations in breach of GDPR, which includes not having a person’s consent to process their data, can be fined up to 4pc of their annual turnover, or 20 million euros (hence the £17.5m) — whichever is greater, far more than current penalties allowed the UK regulator of data privacy and security, the ICO.
In fact, job candidates — and any data subjects — will have six rights under the new legislation: right of access, whereby they can request to be informed about what will be done with their data; right to rectification, meaning they can correct or update any data that’s held on file; and right to erasure, which allows them to have their data removed from a database at any time. Prospective employees will also have the right to restriction of processing, whereby they can request their data is suspended from being processed in a database, the right to export all their data from files, and the right to object to their data being processed indefinitely.
Jonathan Richardson, managing director at secure shredding company Russell Richardson, said: “Ahead of the enforcement of GDPR, and in light of the Cambridge Analytica scandal, many businesses are rightfully focusing on cleaning up their electronic databases to remove the risk of breaches. But it’s equally important that they destroy hard copies of sensitive and personal data — a perfect example of which is printed CVs, which are often cast aside or disposed of insecurely after job interviews.”
The shredding and data destruction contract firm said that although in-house office shredders are common, they typically use the ‘strip-cut’ method which produces ribbon-like strips of paper. In the wrong hands, waste paper shredded in this way can still be read and reassembled, meaning the data subject could still be at risk of identity fraud, the firm claimed.
Jonathan added: “Employing a regular shredding service removes this risk and gives businesses of all sizes peace of mind that they’re adhering to the new laws. The size of the fines they’re avoiding by securely destroying confidential information far outweighs the cost of such services. And while recruiters often tell unsuccessful candidates: ‘We’ll keep your details on file,’ in future they’d be wise to rephrase this message.”
