A recent survey by Invenias of executive search professionals revealed:
- 30% haven’t yet taken steps to prepare for the changes to the GDPR
- 55% have started to think about how they might prepare for the changes to the GDPR
- Only 15% are actively planning for the changes to the GDPR
Will GDPR apply to my business?
The GDPR or General Data Protection Regulation will come into force in the UK by May 2018 and will safeguard European Union citizens with respect to their data privacy rights. The legislation will impact all organisations regardless of size, that are either based in, or do business in, the EU. In essence, the legislation will give individuals greater rights and control over their data by way of consent as well as the power to access, rectify or erase information held and the right to be informed.
What are the key differences?
The financial implications for data breaches are significantly higher under the GDPR than under the existing data protection legislation. In addition, under the GDPR, organisations are required to notify supervisory authorities and affected individuals of a data breach within 72 hours of discovery, a new obligation introduced by the GDPR.
Whilst the legal basis for the processing of data has always been present in previous data privacy rules, under the new legislation, the bar has been raised on the requirement for Consent. Under the new legislation Consent must be freely given; specific; granular; clear; prominent; based on an active opt-in, statement or affirmative action; documented and easily withdrawn. You are required to notify data subjects that they have the right to withdraw their Consent and you cannot demand Consent as a condition of providing a service.
Although implicit requirements of current data protection law, the principles of accountability and transparency are emphasised and elevated under the GDPR. The new legislation requires you to record and be able to clearly demonstrate compliance with the principles – for example by documenting the decisions you take about a processing activity.
What do the changes mean for executive search?
There is no doubt, the changes to the GDPR will have a significant impact on the executive search profession. Any firm that operates in the EU, has clients that operate in the EU, or that processes data on EU citizens are subject to these changes in legislation, regardless of where information is stored, whether it is held in emails, a database or in spreadsheets. The rules will have a similar impact on technology suppliers to the industry, with those who act as a data controller or data processor also bound by and required to comply with the changes to the GDPR. Executive search firms will have to show that their systems and technology are compliant.
What are the penalties for non-compliance?
With severe non-compliance penalties of EUR20 million or 4% of worldwide turnover, the GDPR will make organisations more accountable for their approach to data and the changes must be given appropriate consideration. However, whilst there are significant financial and reputational implications for failing to comply with the changes, it is not all doom and gloom. Instead, rather than focusing on the burden of preparing for the GDPR and the penalties associated with breaches, the new rules can be viewed as an opportunity to enhance working practices and the quality of data stored.
What are the benefits for my organisation?
Compliance with the GDPR will foster a culture of data confidence among an organisation’s clients and candidates. Moreover, a greater level of transparency and accountability for information held and transferred will enhance working practices. The GDPR is an opportunity to enhance the quality of data held as the changes will ensure businesses invest more time in thinking about the data that they capture, its future use and how it is stored and transferred. Adhering to the GDPR is a demonstration of the quality of your operations and will strengthen relationships with clients and candidates through a greater level of transparency and increase confidence that you adhere to the highest standards. In turn, this builds on the values of confidentiality and trust that the profession prides itself on.
How should we prepare for the GDPR?
You should review the data you hold and why you hold it. It’s highly recommended that you undertake a Privacy Impact Assessment (PIA), showing that you take data privacy seriously and have it at the heart of what you do. There are PIA templates available, including on the ICO website, and as part of the process you should also look to your local Data Protection Authority to guide you as to whether you should rely on Consent or whether Legitimate Interest is a better option.
What should I expect from my technology provider?
At Invenias, we are committed to working in partnership with our customers to ensure a streamlined journey to compliance. Our customers benefit from data protection being at the heart of the design, build and operation of our technologies. Whilst the changes do not come into until May 2018, investing time in understanding and planning for the legalisation now will ensure that any required changes can be carefully considered and that the GDPR will cause minimal disruption to your organisation.
For additional resources and information relating to the GDPR and its impact on the executive search profession and how you can prepare for the changes, please visit www.invenias.com/gdpr or email [email protected].
Footnote: The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.