Skip to content


Submit or approve timesheets here by selecting one of the options.

GDPR Principles

GDPR: How will it affect us?

Most of us are aware that changes are coming to data protection rules which will have a big impact on all businesses. Here, we explain what Rullion is doing to make sure we’re compliant, and what our clients need to know.
The EU’s data protection reforms have been common knowledge for some time, but do you really know how they are going to impact on you and your work?

The General Data Protection Regulation (GDPR) actually came into effect in May 2016, and will be enforceable from 25 May 2018. It’s a set of new rules to bring data protection across the EU up-to-date with the way businesses and organisations access, store and use personal data. GDPR aims to give individuals more power over what companies can do with their data, and to give regulatory authorities more scope to crack down on businesses that don’t comply. The regulation applies to both data controllers and data processors – of which Rullion is both.

And, in case you thought GDPR might go out of the window as soon as the UK leaves the EU, think again. GDPR will take effect before the legal repercussions of Brexit, so that means the UK must still toe the line, and the Government has put forward a new Data Protection Bill which mirrors the EU regulation. Indications are that GDPR is here to stay: it makes economic sense as UK businesses will be better able to work with their EU counterparts, even after the final farewell across the Channel.

What Rullion is doing

Our GDPR programme team has been identifying areas for improvement and enhancement since April 2017. Our Board, senior leadership team, senior managers and colleagues across the organisation have been briefed about the new regulation: what this means to them as individuals, and to our business. Staff are represented on the project as GDPR champions, and work with the project team to ensure training and communications are received and understood.

Our commitment is to provide the same high standards of awareness and support to our clients, as valued customers, as to our internal stakeholders.

We’re delivering 10 important changes to ensure our business is in line with GDPR:

1.  Upgrading data documentation

We have formally documented the personal data we hold, its sources, and which third parties share it, to help us meet obligations to our clients and candidates. A process is in place to ensure that this data is regularly reviewed so that it remains accurate and up-to-date.

2.  Communicating privacy information

We’re reviewing and updating our data privacy notices on our websites: and Our enhanced privacy information is clear, concise and jargon-free, so that existing and prospective clients and candidates are informed of the information we need to fulfil our obligations and improve our service.

3.  Updating client contracts

We’ll be updating our contracts with our clients to reflect the new legislation and to define our respective obligations. We’re currently working with our legal team and external counsel to get this process completed.

4.  Developing new privacy statements

All of our clients will need to have a visible, clear and concise data privacy statement to communicate to potential applicants, spelling out how the data supplied during the recruitment process will be used. The clarity of this statement will allow us to process data under the legal basis of legitimate interest (there’s more about this further down).

5.  Introducing a better consent process

How annoying is it when you ‘consent’ to data sharing online by failing to un-tick a box that you never ticked in the first place?! The new rules recognise this – consent to data sharing must be a definite, obvious ‘yes’ by the individual. So, we’re going to improve our process to make it easier for clients, candidates and new contacts to actively ‘opt in’ for generic recruitment communications and mail shots.

6.  Reducing the likelihood of data breaches

All our staff will continue to receive regular, on-going communications and education on how to minimise the risk of a personal data breach, and who to inform if a breach occurs.

7.  Ensuring privacy and protection by design

We’re working through a privacy by design approach across all projects, in order to: promote privacy and compliance from the start of every initiative; reduce operational risk, and ensure that all initiatives are risk-assessed on data privacy needs.

8.  Continuing to be vigilant about everyday data protection

We will continue to make sure user passwords are encrypted, data visibility is controlled by roles, and financial data is made very difficult for unauthorised people to access and decode.

9.  Specifying Data Protection roles

We’ve designated responsibility for data protection compliance, and have appointed a Data Protection Officer. The roles, responsibilities and governance structure will be absorbed by the DPO and their supporting teams to monitor, review and enhance our data protection journey.

10.  Ensuring we respect and uphold individual rights

The GDPR defines the circumstances in which companies can keep personal information about individuals on their data banks – how long they can keep it, what they can keep, and what they can do with the information. Read on to find out more.

How does the GDPR govern what companies can do with personal data?

Under the new rules, businesses don’t have the right to capture, retain or use an individual’s personal data for a specific purpose without that person’s prior consent. Personal data can cover a lot of ground – obvious stuff such as name, phone number and email address, but also any information that makes an individual ‘identifiable’ – for example, information about their finances or their mental health.

Businesses can request, process and store personal data if they have a lawful basis for doing so. Our lawful basis is the legitimate interest of introducing and representing candidates to clients to fulfil specific recruitment needs.

How we’re updating our data retention policy

It’s in everybody’s interest to make sure retained data is accurate and relevant. So, we’ve taken this opportunity to streamline the process for candidates to gain access to their personal data, as well as to outline clear procedures to meet regulatory and legal requirements:

Our data retention policy is as follows:

  • We will only keep data on candidates that is relevant to our business relationship e.g. contact details and a current CV.
  • If a candidate has been paid by our payroll services, we will keep relevant data for HMRC purposes for seven years.
  • The exception to the above is some cases related to Health & Safety requirements, where we may keep personal data for up to 40 years for legal reasons e.g. candidates who work with dangerous chemicals.
  • Generally, though, if we have had no contact with a candidate for three years, we will delete all their personal data.
  • At any time, a candidate may request that we delete their personal information. The candidate will be informed of what deletion means for them and their relationship with Rullion, and what personal data can be deleted within 30 days of their request. This is subject to the time-frames above.
  • All Rullion staff will be able to recognise and action a Subject Access Request (SAR) within the new 30 day timeframe.

Do you need further information?

There’s a lot to take in for our staff, clients and candidates, and we’re all going to be on a learning curve. If you have questions or need further information about GDPR, please contact your Rullion Account Manager, Executive Account Manager or Client Director who will be happy to discuss any specific questions you may have.