A Quick Synopsis
The General Data Protection Regulation (GDPR) was passed in 2016 and becomes enforceable from 25 May 2018. The regulation is designed to provide a common set of rules which govern how personal data should be respected and looked after by those who hold it or work with it. Indeed, fundamentally the GDPR is about a Data Subject’s (defined as any natural person on living individual) human rights when it comes to their identity. A common misconception is that the GDPR only applies to organisations within the EU, but the reality is that the GDPR will impact a significant proportion of businesses globally.
The GDPR expands on existing data protection legislation providing enhanced rights and freedoms to Data Subjects, it also forces organisations that work with and store personal data to be more transparent about the who, what and why about which they are using this data. The regulation has been brought up to date to better define modern cyber security threats and directs organisations to take appropriate organisational and technical measures to try and ward against them. It sets out clearer definitions of data beaches and how the movement of data around the globe should be managed and appropriately secured.
The GDPR also gives the various Supervisory Bodies responsible for ensuring that the GDPR is complied with, significantly enhanced scope for action against organisations which do not try and comply with the regulation. These actions can range from guidance and advice, informing data subjects of a breach, forcing organisations to stop processing all together and, of course, financial penalties which can be as high as 20m Euro or 4% of group annual turnover for the most serious infringements.
Above all the GDPR is focussed on accountability. Organisations must be able to demonstrate how they are complying with the legislation. The need to record and track interactions with data, how they are assessing how secure personal data is and the fact that they should only be working with processors of data that can assure them of compliance are just a few of the steps they have consider. Where an organisation is compliant with the principles of the GDPR, consumers should feel that very serious due consideration to their rights and freedoms in relation to their personal data has been taken and there are robust measures in place to protect them.
Some of the key points:
The rights of a data subject
There are now 8 individual rights of the Data Subject (rights of natural persons) which organisations who work with personal data must ensure they are providing for in their dealings with a Data Subject.
The right to be informed – This right means that organisations must supply a considerable amount of information to the Data Subject so that the individual is able to make clear and informed choices about how, or even if, they want an organisation to hold their data. It is imperative that this is supplied in a manner which is concise, intelligible and easily accessibleas well as written in plain language. The information supplied needs to include (amongst others) elements like the purpose and legal grounds for processing, any recipient of the data, the subjects rights, how long the data will be retained, how to complain and how to exercise their rights.
The right of access – This allows Subjects access to their personal data so they can be awareof and verify the lawfulness of processing. One change in the GDPR from outgoing legislation is that this can typically no longer be charged for. Here the organisation must take appropriate steps to verify the identity of the individual making the request. It is recommended that best practice is for organisations to provide remote access to secure self-service portals giving the Subject direct access to their information.
The right to rectification – This allows Subjects to have their information rectified if it is inaccurate or incomplete. An organisation can refuse but it must have a legitimate lawful ground for doing and the Subject must be informed together with their right to complain.
The right to erasure – Commonly known as the right to be forgotten, Subjects can have their data erased to prevent further processing in certain circumstances. This typically would be where a Subject withdraws consent or objects to processing or when the data is no longer necessary in relation to the purpose for which it was originally collected. If the data has been passed to any 3 rd parties they too need to comply with the erasure. Organisations need to be able to record the right to erasure in a suitable manner.
The right to restrict processing – This is commonly a transient state and prevents all forms of processing other than storage. An example of where it might apply could be where a Subject contests the accuracy of data and it is being verified.
The right to data portability – This gives Subjects the right to obtain and reuse their personal data for their own purpose across different services. This needs to be provided in commonly used machine-readable form and must be free of charge.
The right to object – This gives individuals the ability to object to processing of their data if amongst other, it’s being processed via legitimate interests, or used for direct marketing.
Rights related to automated decision making or profiling – This allows Subjects to see how any such decisions are being taken and gives them rights to obtain for example human intervention.
On what basis can executive recruiters store information on executive?
In order for an organisation to process data lawfully we should first consider what we mean by processing. Essentially this means any interaction with the data including storing it. Any entity which alone or with others decides the purpose and means of any processing of the data is defined as the Controller for that data. Any entity which undertakes a processing activity as, or on behalf of, a Controller is known as a Processor of the data.
For Processing to be legal it must meet the following principles of processing personal data.
Processed fairly and Lawfully. The reality is there are only really 6 ways in which data can be processed lawfully: Necessary for the performance of a contract, necessary to protect the vital interests of a subject, compliance with a legal obligation, in the public interest or exercising official authority, it’s in the legitimate interests of the Controller except where such interests override the rights and freedoms of the data subject or finally it’s with the consent of the Data Subject. Depending on circumstances any one of these could be used but it’s important to note that each processing task must be assessed against these principles separately and an Organisations relationship with a Subjects data may cover several of these grounds over the lifetime of that relationship.
Adequate, relevant and limited to what is necessary. This is the concept of minimisation. It’s is important that you are only processing the minimum amount of data required to undertake the particular processing task.
Accurate and where necessary kept up to date. Organisations have an obligation to ensure that they are processing accurate information on the Data Subject. It’s recommended that Data Subjects be given the ability to review their data and update appropriately.
Collected for specific, explicit and legitimate purposes. Data which is collected for a particular purpose should only be used for that purpose. This is important in the context of search – if you have consent to just store data on a Subject, this does not allow you to use this information for business development purposes.
Kept for no longer than is necessary. Organisations should have a retention policy on all forms of personal data which need to conveyed to the Data Subject when you are collecting their data for Processing. There is no such thing as indefinite consent.
Processed in a way which ensures security. Organisations have an obligation to take appropriate technical and organisational measures to safeguard Subjects data from unauthorised access and processing. This will range from having appropriate staff training, policies and process through to things like encryption of data. Data stored on local devices – Outlook contact lists or spreadsheets – is high risk and should be avoided where possible unless appropriately protected.
Any organisation has to be able to demonstrate that are compliant with these 6 processing principles when working with Personal data.
First and foremost, if an organisation picks a lawful ground for a specific task in data processing, it can’t chop and change. For example, if an existing candidate is asked for consent to continue holding their data. If they fail to give this consent it can’t then be decided to try to process them using legitimate interests.
Contractual grounds is the easiest approach but an organisations rights to process the data are in line with that contract. Once it ends another method needs to be found (or ideally get the candidate on another contract!).
Consent is one of the safest grounds as it removes a lot of ambiguity when done correctly but the biggest issue is that you have to have opt-in consent. Organisations that have built up databases of many thousands of candidates may find that after an opt-in consent exercise their databases are considerably smaller. This has naturally caused a lot of concern but if a pragmatic view is taken of the data, how many of those candidates are truly active and in regular communication? A database of consented candidates means they want organisations working with them.
Legitimate interest is gaining favour as it’s still more in-line with “opt-out” rather than the “opt-in” of consent but in order to use legitimate interest grounds organisations have to undertake and document what’s known as a balancing test. This can be a challenging test and is designed to ascertain if the organisations interests in processing the data conflict with any impact to the subjects and their expectation of what will happen to their data. One common misconception with Legitimate interest is that if you have not collected the data directly from the Subject (say via social media or similar) you might not need to inform them. Under the “right to be informed” however organisations must tell the Subject that they have their data and provide them with a privacy notice as well as or including transparency information and their rights to be forgotten or object within a reasonable time. This reasonable time is no later than one month, at the time of first communication or before data is disclosed to another recipient (e.g. your client).
Data protection by design and default
To tie together these processing principles and the subject access rights mentioned above organisations must be able to demonstrate data protection by design and default. Essentially this looks at how seriously an organisation is taking the security of the personal data it holds and how it is Processed. Organisations may need to appoint Data Protection Officers depending on circumstances, they will need clear policies and processes to support the legislative requirements of the GDPR, they will need internal audits of processing activity, use data protection impact assessments where appropriate and need to implement measures such as encryption. Records of these could well need to be made available to the relevant Supervisory Authority for the purposes of any investigation.
So, what does this mean for executive recruiters?
The first thing any organisation needs to do is think about its data processing policies. They need to create – and write down – the rules which will be followed for storing executive information. They will need to determine when you will consider “Legitimate Interest” to be the basis for processing and under what circumstances Consent will be required.
Most recruiting teams reading this document will have extensive data already. It is highly unlikely that all of this data is compliant. Agencies need to deal with this before May 2018. They potentially will need to review and make contact with all of their legacy data in exactly the same way as they would for someone added after the enforcement of GDPR in May 2018 – the rules do not differentiate between old data and new.
They will then, preferably via their database or CRM system need to track the following information:
On what legal basis are you processing the data?
What was the origin of the data?
What is the legal status of the data?
What is the history of your interactions with the individual regarding compliance
The GDPR is a huge, wide ranging piece of legislation with noble goals designed to help protect our identities. It is this huge scope however which means in some areas it has to be deliberately vague and many organisations are struggling to put in place the required measures to firmly get them on the road to compliance. GatedTalent was designed and built to help organisations with this task by providing a scalable platform that addresses many of the obligations discussed. By handling the managing of the interactions with Data Subjects and putting them in control of their data within our platform, GatedTalent ensures that you are providing the information required and giving the subjects the ability to action their rights as set out in the legislation. GatedTalent ensures that you are telling the Subject of your lawful grounds for processing and works with the Subject to show how an organisation is Processing their data due to the principles required under the GDPR. It remains the responsibility of the Search firm to manage any data stored outside of GatedTalent. GatedTalent users do not require FileFinder Executive Search Software; however, when used alongside FileFinder, the two products interact seamlessly, allowing connection requests and responses to be managed directly from FileFinder. Furthermore, a host of additional benefits are also delivered by the integration.
There is no magic solution to the focus and effort that organisations around the world need to put in to getting and maintaining a compliant status with the GDPR but GatedTalent can certainly help show an organisation is taking appropriate technical and organisational measures and that its treating its Subjects’ data with the respect it deserves.
GatedTalent Research Report
GatedTalent has undertaken an investigation into what the introduction of GDPR could mean for the global executive search industry and the talented executives, professionals and leaders that it works with.
While GDPR has the potential to reduce the size of your database, it could also deliver significant commercial advantages to those recruiters that embrace it, as it could represent an opportunity to engage more closely with senior talent and access more accurate and up-to-date talent data on an ongoing basis.
Read the full report “Unintended Consequences – Why GDPR could move executive careers into the slow lane”
GatedTalent is currently in beta. More executive search firms and in-house recruiting teams will be added to the platform during Q4 2017 with full, global availability from the beginning of 2018.