3 Aug2017

What Does the GDPR Mean for Executive Search?


By Andy Warren, CFO and Chief Information Security Officer, Invenias

In an industry underpinned by data, it is unlikely that the acronym ‘GDPR’ is an unfamiliar term to those working in executive search. From May 2018, the rules and regulations regarding the way in which data is stored, shared and moved will change dramatically, and this will have a significant impact on the working practices of the executive search professional.

A recent survey by Invenias of executive search professionals revealed:

• 30% haven’t yet taken steps to prepare for the changes to the GDPR.

• 55% have started to think about how they might prepare for the changes to the GDPR.

• 15% are actively planning for the changes to the GDPR.

With a plethora of information available, this article provides a general overview of the GDPR and discusses the impact of data protection changes on those responsible for executive hiring.

An overview of the GDPR

The GDPR or General Data Protection Regulation will come into force in the UK by May 2018 and will safeguard European Union citizens with respect to their data privacy rights. The legislation will impact all organisations that are either based in, or do business in, the EU. In essence, the legislation will give individuals greater rights and control over their data by way of consent as well as the power to access, rectify or erase information held and the right to be informed.

The Key Differences

The financial implications for data breaches are significantly higher under the GDPR than under the existing data protection legislation. In addition, under the GDPR, organizations are What Does the GDPR Mean for Executive Search? By Andy Warren, CFO and Chief Information Security Officer, Invenias Sponsored content: Invenias Executive Talent - 41 required to notify supervisory authorities and affected individuals of a data breach within 72 hours of discovery, a new obligation introduced by the GDPR.

Whilst the legal basis for the processing of data has always been present in previous data privacy rules, under the new legislation, the bar has been raised on the requirement for Consent. Under the new legislation Consent must be freely given; specific; granular; clear; prominent; based on an active opt-in, statement or affirmative action; documented and easily withdrawn. You are required to notify data subjects that they have the right to withdraw their Consent and you cannot demand Consent as a condition of providing a service. Although implicit requirements of current data protection law, the principles of accountability and transparency are emphasised and elevated under the GDPR. The new legislation requires you to record and be able to clearly demonstrate compliance with the principles – for example by documenting the decisions you take about a processing activity.

What do the changes mean for executive search?

There is no doubt, the changes to the GDPR will have a significant impact on the executive search profession. Any firm that operates in the EU, has clients that operate in the EU, or that processes data on EU citizens are subject to these changes in legislation, regardless of where information is stored, whether it is held in emails, a database or in spreadsheets. The rules will have a similar impact on technology suppliers to the industry, with those who act as a data controller or data processor also bound by and required to comply with the changes to the GDPR. Executive search firms will have to show that their systems and technology are compliant.

It’s not all doom and gloom

With severe non-compliance penalties of EUR20 million or 4% of worldwide turnover, the GDPR will make organisations more accountable for their approach to data and the changes must be given appropriate consideration. However, whilst there are significant financial and reputational implications for failing to comply with the changes, it is not all doom and gloom. Instead, rather than focusing on the burden of preparing for the GDPR and the penalties associated with breaches, the new rules can be viewed as an opportunity to enhance working practices and the quality of data stored.

Compliance with the GDPR will foster a culture of data confidence among an organisation’s clients and candidates. Moreover, a greater level of transparency and accountability for information held and transferred will enhance working practices. The GDPR is an opportunity to enhance the quality of data held as the changes will ensure businesses invest more time in thinking about the data that they capture, its future use and how it is stored and transferred. Adhering to the GDPR is a demonstration of the quality of your operations and will strengthen relationships with clients and candidates through a greater level of transparency and increase confidence that you adhere to the highest standards. In turn, this builds on the values of confidentiality and trust that the profession prides itself on.

Partnering with the right technology provider

At Invenias, we are committed to working in partnership with our customers to ensure a streamlined journey to compliance. Our customers benefit from data protection being at the heart of the design, build and operation of our technologies. Whilst the changes do not come into force until May 2018, investing time in understanding and planning for the legalisation now will ensure that any required changes can be carefully considered and that the GDPR will cause minimal disruption to your organisation. For additional resources and information relating to the GDPR and its impact on the executive search profession please visit www.invenias.com/gdpr or email insight@invenias.com.

Footnote: The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

Andy Warren

CFO and Chief Information Security Officer