Navigate GDPR Compliance Update

A question of consent

In our last news item we introduced the GDPR and the ways in which our practice will change so that we are compliant with the regulations. In this update we explain (i) the issue of express consent that we must have from all individuals who work with us as associates to store and process personal data and (ii) the way we will ensure our clients and our umbrella company Paystream are GDPR compliant.

To work with you as an associate, we need to store and process your personal information for legitimate business reasons.

We store and process your data internally and, where relevant, we also pass it to our clients, our umbrella company Paystream (if your work is within the IR35 ruling) and HMRC when we make quarterly our return to them.

The GDPR requires us to gain your express consent to the storage and processing of data

You also have the right to withdraw your consent at any time and we must make you aware of this before you give us your informed consent

Clearly, we only store and process your data for legitimate business reasons including the purpose of contracting with you. So, we need all our associates to consent to their data being stored, processed, and shared where necessary. We will be working with our associates in the coming months to make sure we have associates consent to their data being stored and processed.

Below we outline the data flow and content between individuals, Navigate, our clients, our umbrella company and HMRC so you can see what data is stored, where it is stored, and what it is used for.

Current On-boarding (New individual contacts Navigate)

  • Individual submits CV to Navigate by e mail
  • CV retained on our data collection system (Filefinder) and secure server in Word
  • Registration form submitted to individual via e mail in Word whose experience is aligned to our clients’ demand
  • Individual returns registration form in Word by e mail
  • Registration form stored on data collection system and secure server in Word
  • References requested by e mail or post
  • References returned by e mail or post
  • References retained on data collection system and secure server in Word
  • Qualifications, DBS, Passport, Proof of address requested
  • Qualifications, DBS, Passport, Proof of address returned to Navigate and stored securely on our server
  • All data held securely internally to Navigate

To comply fully with GDPR, we need to add a step at the outset of the process to ensure individuals who submit data to us know and understand how we will store and process that data and to give them the option to have their data withdrawn from the system or amended, for example through submission of an updated CV. We will put this in place in the new year.

In terms of how our work flow happens, from the point at which a client contacts us with a requirement, this is what happens

  • Prospect of work comes to Navigate by phone/email
  • Navigate searches Filefinder (our database) to identify individuals who match client need
  • Navigate contacts those who match, gains permission to send details to client by phone/email
  • Audit trail maintained in Filefinder of permissions granted and data shared
  • CV submitted to client
  • Client makes decision
  • Individuals contacted & informed of client’s decision – next step or reject
  • Audit trail maintained on Filefinder
  • Outcome of interview/meeting – offer of employment (Inside or outside IR35) or reject
  • Audit trail maintained on Filefinder
  • Inside IR35: contracts drawn up, individual’s details shared with Paystream and client
  • Outside IR35: contracts drawn up, individual’s details shared with client
  • Audit trail maintained on Filefinder

We need to add in the following steps to ensure compliance with the new regulations as follows:

We will ask our clients to guarantee they will destroy all data from individuals who are rejected

We will ask our clients to guarantee to us that they are GDPR compliant in relation to individuals who are successful

We will ask Paystream to guarantee they are GDPR compliant

We hope this provides you with a useful update of our actions to ensure Navigate continues to offer a high-quality service to all with whom we work.

Best wishes,

The Navigate Team.