A nine step program for executive search firms
From May 2018, all organizations that handle the data of EU residents will be required to comply with a single set of rules, regardless of where the organization is located. Compliance with the GDPR represents an opportunity to transform how your firm manages personal data. Below is a checklist of how you can prepare for, and ultimately benefit from the GDPR.
Review and update your Technical & Organizational measures
The General Data Protection Regulation (GDPR) demands that you have the appropriate technical and organizational measures for processing and controlling personal data in your company. This means that, at the very least, you will need to review your current set up and procedures and it’s likely you will have to build or rebuild some from scratch.
You need to make sure your data is organized, understand what it is and know where and how it is stored. You’ll need to consider the security of the data, both physical and electronic, and any encryption or intrusion prevention measures. If you’re using a processor, you must satisfy yourself that their processes and environment are sufficient to protect your data too.
Overall, you’ll need to show that you’ve assessed the ongoing confidentiality, integrity, availability and resilience of processing systems and services. And you’ll have to make sure that your internal policies and processes are recorded, communicated and followed, and that somebody in your company has overall responsibility for this.
Create a GDPR File
Create a hard copy or electronic central GDPR file and use this as the Repository for all your GDPR compliance, as well as to drive and apply compliance and policy decisions. You can record Documents, Templates, Statements, Privacy Impact Assessments (PIAs), Policies and Processes in the GDPR Record. You can also record any special cases of Consent Withdrawal, Data Subject Access Requests (DSARs) and Data Breaches.
In addition, you can track your staff training and awareness programmes.
Assess and record the Data Streams you are processing
Think about the different data streams you are processing:
- Candidates are the most obvious - Split between placement, coaching, consultancy, references etc.
- Client contact data - For completing existing assignments and for marketing and sales
- Employee data - You will need to process the personal data of your own staff under their Employment Contracts
Each of these requires different approaches and processes:
- Purpose will vary (even within each category)
- Lawful basis will differ (Legitimate Interest, Consent, Contract)
Determine and record the Purpose of the processing
Consider and record the purposes of your processing; Specify what you are using it for; Make it explicit; Ensure each purpose is legitimate; Consider how you can restrict data being used or processed in other ways.
Consider and undertake Privacy Impact Assessments
Privacy Impact Assessments (PIAs) can be used to identify and reduce the privacy risks of your projects. They can reduce the risks of harm through misuse of personal information and help you design more efficient and effective processes for handling data.
There are many online templates for PIAs and these should be downloaded and used as a guide. Do this as part of your GDPR preparation and save the completed PIAs in you GDPR file. PIAs are good practice and provide a clear indication of Privacy by Design, which is a key GDPR principle.
Decide and record the lawful basis on which you will process data
There are three main options for the lawful basis that you must have in order to process data. These are Consent, Legitimate Interest or Contractual Necessity. You only need to choose one and there is no hierarchy, but certain situations may lend themselves to one basis over the others.
GDPR Consent must be freely given, specific, informed and unambiguous; it must be explicit in certain cases and can be withdrawn. It’s aligned with other Rights (to be forgotten; to have access; to be informed) and may be required by certain Search Firm clients either by Company or Assignment.
Legitimate Interest is a valid alternative to Consent as a lawful basis for processing (although not for special categories of data). It won’t be valid if it harms the rights, interests or freedoms of the individual. You should explain and record your legitimate interest in your GDPR file.
Contractual Necessity will generally be used for Employment contracts and may be applied for client agreements and candidate agreements where you have them.
Use a risk-based approach to decide what you are going to do about informing data subjects
The Legislation says you should inform data subjects within a reasonable time frame (a month is suggested by the Information Commissioner's Office) and that you must do it at the time of contact if you are obtaining data from the data subject. And informing a candidate of the data you hold when you speak to them makes absolute sense. You’ll have to let the candidate know the identity of the controller (your firm); reasons for processing their data; and other relevant information necessary to ensure fair and transparent processing.
If you are investigated, most likely for another reason such as a complaint or a data breach, any failure to inform candidates could be an exposure and the impact will depend on the extent that your non-compliance could have (or has) impacted the individual; any fines will take this into consideration.
Whilst informing candidates is a significant operation, a dialogue and communication with candidates to check and verify their data is not a bad thing for your firm’s credibility and quality. It may be that a phased contact process, rather than a big bang approach, would work best for you to move to compliance.
Understand how you will handle requests for deletion and right of access
A data subject has the right ask for their data to be deleted at any time. You’ll have to respond to this promptly, but it’s worth having a process to understand the circumstances leading up to such an event to prevent it happening too often.
A candidate can make a Data Subject Access Request (DASR), which is a request both for confirmation that their data is being processed and for access to their personal data (usually in the form of an electronic report). Such a report would have to contain all the relevant personal data held with minimal exceptions, including purposes; categories and retention periods for their data; data sources; recipients or categories of recipients; any automated decision making and profiling that has been applied; and details of cross border transfers.
You must gather all the information and data held on the individual and provide a report within one month at no charge. And this will bring home the fact that you shouldn’t be holding any data that you would feel uncomfortable about the data subject seeing.
Determine who is going to be responsible in your company and whether you need a DPO
You won’t necessarily require a Data Protection Officer (DPO) depending on the size of your firm and what you are doing with the data. However, you will need to nominate someone to take overall responsibility in your company and their details should be recorded in your GDPR file.
You should also ensure that there is full training and awareness for your staff and that anyone who is handling personal data has sufficient knowledge of GDPR and what to do about the requirements.
The Invenias Solution
At Invenias, we know how much our customers rely on us to ensure data protection is at the heart of the design, build and operation of our platform. Our most recent initiatives support the latest developments in data privacy and GDPR with dedicated features and functionality to assist with compliance. For additional information and resources relating to the GDPR, visit www.invenias.com/gdpr or email gdpr@invenias.com.
About the Author
Andy Warren is Chief Information Security Officer and CFO for Invenias and has considerable experience and expertise in the field of data security and transfer. He was a founding member of the Information Systems Audit division at EY and was responsible for IT Audit and security for UK and Europe for Philips Electronics. Andy has worked across the Telecoms and ISP industry with focus and responsibility for data security and transfer.
Receive AESC's Executive Talent Monthly - Insights for the C-Suite