What about Legitimate Interest?
The ICO suggest that Legitimate Interest may be the most appropriate legal basis in many cases, providing it doesn’t override the rights and freedoms of the data subject. And in most cases, with executive search it’s likely that it won’t override these interests or prove controversial to a candidate.In addition, it certainly seems reasonable to assume that the holding and processing of current, up to date and relevant data on candidates is in the Legitimate Interest of an executive search firm and your clients and candidates.
Write it down
Whilst the most appropriate legal basis will differ dependent on circumstance and the requirements of your clients and candidates, whichever basis you choose to rely upon, the important thing is that you clearly record your decision and legal basis.Given the recent guidance and the nature of executive search, it seems likely that most search firms will rely on the basis of Legitimate Interest to satisfy the GDPR. It is also perfectly feasible to seek to rely on Consent, and in fact, some clients may demand this for their assignments. However, it us worth noting that any Consent you have obtained to date is unlikely to satisfy the GDPR requirements and most advice points towards refreshing such Consent both prior to GDPR and regularly thereafter.
Consent under the GDPR
The key components of GDPR Consent include requirements to be freely given; specific; granular; clear; prominent; based on an active opt-in, statement or affirmative action; documented and easily withdrawn. You are required to notify data subjects that they have the right to withdraw their Consent and you cannot demand Consent as a condition of providing a service.The processing of sensitive data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data requires Explicit Consent. Whilst the processing of sensitive data is probably less likely in executive search outside specialist companies, Explicit Consent differs from general Consent as a legal basis in that it is a requirement, not a choice.
The next steps
Review the data you hold and why you hold it. It’s highly recommended that you undertake a Privacy Impact Assessment (PIA) and there are templates available on the ICO website. You should also look to your local Data Protection Authority for guidance as to whether you should rely on Consent or whether Legitimate Interest is a better option.The most appropriate legal basis for the processing of data will vary dependent on circumstance and client requirements, but one thing that is perhaps more clear cut is the need to clearly document the legal basis under which you seek to rely upon.
The Invenias solution
Invenias' most recent initiatives support the latest developments in data privacy and GDPR with dedicated features and functionality to assist with compliance to learn more, request a free no obligation demo with a member of our experienced team.