Oh no, not again! | Data Compliance for Recruiters

Just when you thought it was safe to go back into the data…

Britain’s new Information Commissioner has signalled a shake-up of existing data laws, the BBC reports.

John Edwards, the current Privacy Commissioner of New Zealand, has set his sights on a streamlined update to current rules. The aim is to scrap a one-size-fits-all approach, and promote innovation and competition.

The move is seen as a challenge to the GDPR: the powerful set of rules which controls private data.

It could mean a new set of privacy standards for UK businesses and citizens.

The announcement could be good news for enterprises that found themselves hobbled by the heavy-handed approach of GDPR.

But if you are groaning “oh no, not again!” at the news, you are also probably not alone. Any change to the law is likely to require at least some small increase in compliance workloads.

Your organisation may need to double-check their data processes, so it is worth getting up to speed. Here’s a brief summary of what you need to know:

The problem

• Implementation of the GDPR has been a problem from day one.

• The rights extended to EU citizens are broad, far-reaching, and equal for every citizen.

• They also affect all organisations in exactly the same way – from the large corporations, to sole traders.

• This means that a single individual has the right to control their personal data, even when challenged by a multinational giant like Facebook, or Google.

• But it means that the compliance workload demanded of micro-enterprises is the same as those of tech giants, too.

• At the time of its implementation, GDPR also created a new and unique workload which – in theory – impacted every business in the UK.

Where are we now?

• The GDPR became law in May 2018.

• On January 1st 2021, the UK left the European Union.

• Since then, the UK has been operating under a stop-gap “UK-GDPR” set of rules.

• These were essentially a copy-and-pasted version of GDPR which repeated the existing rights and responsibilities, almost to the word. The phrase “UK citizens” replaced instances of “EU citizens” but otherwise the rules themselves remained unchanged.

• It means that, at present, UK citizens still enjoy all of the rights afforded them under the GDPR. UK businesses also carry all of the responsibilities for processing data as set out under the EU law.

How this could change

• The proposed changes seek to alleviate the pressure on small businesses by removing some of the responsibility and being less of a “one size fits all” solution.

• This would mean that large data-handling entities such as Google, Amazon, Facebook, and even the NHS could have different data rights and responsibilities to small, independent firms.

• It may mean an end to those continual pop-ups that UK citizens see whenever they visit a new web page.

• New rules would also make it easier for UK organisations to send and share data about UK citizens to other countries with similarly robust data standards, such as Singapore, Dubai, Columbia, and the United States.


This will not let British businesses off the hook entirely.

EU citizens will still be able to exercise their GDPR rights over British businesses, as those rights are universal. It means that UK firms should still keep their GDPR processes in place. In fact, it is quite likely that these processes will be placed under even higher scrutiny once the UK starts operating under a different system. As a recruiter, if you are sourcing talent or clients from within the EU, you are likely to be impacted by this.

There is also a concern that a new UK system may be deemed inadequate in matching the robustness of the existing GDPR. Should this be the case, UK firms would be blocked from transmitting data of EU citizens to outside countries.

This means that British organisations may, in effect, need to ban EU citizens from their platforms and services as they would be unable to demonstrate legal processing of those individuals’ data. For enterprises with EMEA-facing activity, this could pose the stark choice: relocate, or cease operations.

Clearly, there will be tough decisions facing some UK enterprises. there is also likely to be a fresh round of “compliance panic” and last-minute report filing. eBoss will keep you updated with all of the developments.

Read more about privacy laws and enterprise solutions in our data compliance centre.