GDPR Policy

At Grafters Recruitment Consultants, (known as GRC thereafter) we endeavour to securely hold all personal data collected by candidates and clients. We implement systems and policies to protect all user data and to ensure ongoing compliance with the Data Protection Act (DPA) and the EU General Data Protection Regulation (GDPR).

Information Collection and Use

GRC will only collect, access, and process your information in relation to recruitment activities. We will use your information to discuss your job search with you, match you to suitable vacancies and to contact you about jobs which match your preferences, via the contact methods provided.

Personal information collected could include (but not limited to):

• Your name
• Your contact details
• Your CV
• Salary information, job search preferences, notice period
• Any additional information relevant to your job search which you provide us with e.g. reason for looking for a new job, right to work in the UK, products to avoid etc.
• Passport
• Payroll details
• Personal Health Questionnaire

GRC will never sell your personal information.

We will share your personal information with our clients by sending your CV in order to apply for a job, releasing your contact details so that a job offer can be sent to you, etc. By contacting GRC, you accept that consent is given to the sharing of your details with any potential employers.

We may use information for generating statistics on our in-house database. This is for internal purposes only, in order to improve both our customer service and recruitment services.

We may be required to share personal information if requested by official authorities or law enforcement agencies.

Your details will be shared with our Payroll Company. Your details may also be occasionally accessible by external service providers such as our database software and IT systems providers in order to carry out essential database maintenance. These companies are fully GDPR compliant and your details will remain confidential at all times.

We do not request, or store, any of the following information (only exception would be connected to the application to any Ministry of Defence companies):

• Race or ethnic origin
• Political beliefs
• Tarde union membership
• Religious or philosophical beliefs
• Sexual life or sexual orientation
• Marital/family status

Your CV

We may acquire your CV by you submitting it as a generic application or for a specific role, sending your CV to one of our consultants directly, applying for a job via an online job board other than our website, or if you have uploaded your CV onto an online CV database, such as CV Library and appear in one of our Consultant’s searches.

Once we obtain your CV then it will be uploaded onto our internal database and will be accessible by all of GRCs’ staff involved with recruitment.

If you have a new CV, you can update it using the same procedure as outlined above.

Request for Information and Deletion

You may request at any time to see a copy of the information held by us, and we will aim to provide this to you within 4 weeks - normally much quicker. You may also wish to amend the data that GRC hold on you and likewise you may also wish to have your information deleted from our database. (In some cases, full data removal may not be possible if it is needed for official purposes such as financial records.) Should you wish to take up any of these options then please email info@graftersrecruitment.com or call 01323 737010.

Equality & Diversity

GRC is committed to promoting equality and diversity in all its activities and will not discriminate on the basis of age, sex and sexual orientation, race, religion and belief, family status, disability, political views and nationality (although we do check right to work status).

Changes to Privacy Statement

We may edit this statement and/or our privacy policies and practices at any time without notice. However, should any changes be of any major significance, then we will endeavour to notify visitors through appropriate means such as email notification or announcement on the website.

Personal Data Security

We have an SSL Certificate installed on our server to ensure all data sent between your computer and our server is encrypted. We encrypt your email address and password. Your username, first name and last name are unencrypted.

Other Websites

This privacy policy only applies to GRC. If you upload your personal details or CV onto a third party website, then you must refer to that particular sites’ privacy policy which may differ from our own. GRC does not have control over the information collected or processed by third-party entities.

Data Breach Policy

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

A personal data breach may mean that someone other than the data controller receives unauthorised access to personal data. A personal data breach can also occur if there is unauthorised access within an organisation, or if a data controller’s own employee accidentally alters or deletes personal data.

GRC understands that data breaches can occur from:

• access by an unauthorised third party;
• deliberate or accidental action (or inaction) by a controller or processor;
• sending personal data to an incorrect recipient;
• computing devices containing personal data being lost or stolen;
• alteration of personal data without permission; and
• loss of availability of personal data.

Dedicated Person

Sian Maher, Director, is allocated the responsibility for managing a data breach.

If any staff within GRC become aware of a potential security incident, they must escalate this to Sian Maher, who will then action a plan to determine whether a breach has occurred.

Response Plan

• If a suspected security breach has occurred, we will take the following steps:
• We will determine whether any personal information is at risk by determining what information has been accessed
• If a theft of a device occurred, we will work out what information was held by the device holder
• If an external security breach occurred, we will liaise with our IT service provider and/or data processor to determine if and what data has been accessed
• We will attempt to identify how many and which individuals the information relates to
• An internal meeting will be held to discuss and determine whether there is risk posed to the individuals identified
• If it’s likely a risk is involved to individuals concerned, then we will notify the ICO within 72 hours
• If a risk is unlikely and we do not need to report the data breach to the ICO, then we will create a full detailed record of the incident and keep this on our internal computer system for future reference

Reporting a Breach

If GRC decide that that it is necessary to report a data breach then we will send the ICO a description of the nature of the personal data breach including, where possible:

• the categories and approximate number of individuals concerned; and
• the categories and approximate number of personal data records concerned;
• the name and contact details of our data protection officer or other contact point where more information can be obtained;
• a description of the likely consequences of the personal data breach; and
• a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

If we do not have full details of the breach fully within the 72 hours, we will initially inform ICO of the breach with all available information at that time. We will then prioritise the investigation, give it adequate resources and expedite it urgently. We will then submit further information as soon as possible.Informing individuals about a breach

If a breach is likely to result in a high risk to the rights and freedoms of individuals, we will inform those concerned directly and without undue delay.

If a risk of damage is possible, we will contact individuals is to help them take steps to protect themselves from the effects of a breach.

We will inform individuals in clear and plain language, the nature of the personal data breach including, where possible:

• the categories and approximate number of individuals concerned; and
• the categories and approximate number of personal data records concerned;
• the name and contact details of the data protection officer or other contact point where more information can be obtained;
• a description of the likely consequences of the personal data breach; and
• a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

Recording Breaches

We will ensure that we record all breaches, regardless of whether or not they need to be reported to the ICO.

We will document the facts relating to the breach, its effects and the remedial action taken. This is part of our overall obligation to comply with the accountability principle and allows us to verify our organisation’s compliance with its notification duties under the GDPR.

As with any security incident, we will investigate whether or not the breach was a result of human error or a systemic issue and see how a recurrence can be prevented – whether this is through better processes, further training or other corrective steps.

Contact Details

If you have any questions or suggestions regarding this statement or believe we are not properly adhering to it, please contact Sian Maher at sian@graftersrecruitment.com or call Sian on 01323 747778.