How GDPR Will Impact Executive Search
First published on our Blog May 28, 2017
Nearly every industry on the planet has become more become more globally connected, and the executive search industry is no exception.
Even though GDPR is a new regulation facing the United Kingdom, compliance will be required no matter where your company is operating. Non-compliance comes with massive fines and, given the extent to which the executive recruiting industry relies on big data, GDPR will have a large effect on executive recruiting companies across the globe.
What is GDPR?
GDPR is pretty technical, so here’s a fun POP QUIZ before we get to the specifics of the regulation.
- General Directive for Personnel Removal
- Giant Delicious Pizza Roll
- Geometric Detailing for Porsche Rentals
- Global Data Protection Regulation
- Generously Designed Porch Recliners
If you chose “General Data Protection Regulation,” you’re a winner! Even if you chose the Pizza Roll, everyone gets a prize, which is more information on GDPR.
The General Data Protection Regulation goes into effect in May of 2018 and is being instated with the goal of establishing a standard for personal data protection for EU citizens. These new data regulations will affect any company that:
- Operates in the European Union
- Has clients Operating in the EU
- Processes data on EU citizens
The European Union is a collection of 28 European countries, and, though Great Britain is in the process of “Brexiting” the EU, the remaining countries in the EU still constitute a massive economic force. The citizens of the EU also constitute a massive data set and, given the increasingly global business of placing high-quality executives, many companies in the United States will be forced to adopt new practices for handling data.
How does GDPR Affect Executive Recruiters?
Whether “personal data” on an EU citizen is in a database, a spreadsheet or even an email, using this data without the permission of the “data subject” (the person who the data is on) is in breach of GDPR.
According to the GDPR site, “personal data” is:
“Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
This sort of data is bread and butter for executive recruiting companies and executive recruiter technology companies, but the only way to lawfully use this data after GDPR goes into effect is through the “data subject” in question giving their explicit permission to process and use their data.
You have probably agreed to plenty of “terms and services” agreements in the past, but GDPR is requiring much more explicit language to be used on forms asking EU citizens for consent to use their data.
Here’s the new conditions for “data subject” consent under GDPR:
“The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.
Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.”
So, when using contacts lists and candidate databases generated on EU citizens, executive recruiting companies need to ensure that the companies/individuals who gathered this data are compliant with GDPR. Additionally, these new terms of consent should be offered to all EU executive contacts and citizens that your company has personal data on.
Executive recruitment companies and executive technology companies are “Data Controllers:”
“a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.”
Data controllers and processors that handle personal data on EU citizens will need to comply by these new rules of consent for use of data and other key changes to EU data privacy law with GDPR. Data controllers and processors are also individuals within your company, so ensuring compliance means getting these people up to speed on GDPR as soon as possible.
Additionally, Executive search companies and executive search technology companies will have to prove that their methods, systems, and technologies are compliant with GDPR, or else face substantial penalties.
“Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.”
Privacy by Design is relevant for any company that has search tools that could process data on EU citizens or uses/maintains an executive database that handles the personal data of EU citizens.
Here's the short version of Privacy by Design:
“At it’s core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.”
And here’s the longer definition for Privacy by Design:
“More specifically – ‘The controller shall.. implement appropriate technical and organizational measures.. in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects’.
Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing.”
Security needs to be a major focus for any company producing tools that are used in the UK, used by clients in the UK or that use the personal data of EU citizens. All products will have to comply with these regulations, but this hurdle is also an opportunity to be one of the first products on or back on the market.
The best course of action to prepare for GDPR is doing an analysis of the clients and customers that you have in the EU and an audit for “personal data” within your company’s databases, contacts lists, emails and other data sources your company uses. Then perform an audit of the data security measures that are in place for your databases or the tools that your company uses/produces.