With the May deadline for GDPR compliance fast approaching, the executive search profession is busy planning and revising their policies and processes. The application of the legislation presents a number of challenges for all organizations that handle the data of European citizens, not least the fact that the GDPR wasn’t tailored to meet the nuances of a profession so reliant on high quality personal data.
Sadly, there are no clear-cut rules that organizations should abide by to guarantee compliance and there are still a number of business decisions to be made in areas where there are not yet definitive answers.
However, preliminary findings from the Invenias GDPR Survey suggest that a common consensus is emerging regarding the approach taken by leading search firms as they seek to comply with the legislation. The largest global survey of executive search professionals and their approach to GDPR compliance, Invenias’ findings will provide the industry with best practice guidance, a common consensus and an additional level of clarity as the May 2018 deadline approaches.
Over 350 responses have given initial clarity in two key areas: the lawful basis for processing candidate data and data retention policies.
Legitimate Interest v Consent: Preliminary Survey Findings
Question asked: Which lawful basis do you plan to use as default for candidate data (excluding special category data)?
Preliminary findings from the Invenias GDPR survey suggest that just 1 in 10 search firms will opt to rely solely on the lawful basis of Consent when processing candidate data (excluding special category data). 43% of respondents plan to rely solely on Legitimate Interest, with the remaining 47% planning to rely on a mixture of bases throughout the hiring process.
How do you rely on Legitimate Interest?
It is likely to be most appropriate where you use people’s data in ways they would reasonably expect, and which have a minimal privacy impact. If you choose to rely on Legitimate Interest, you are taking on extra responsibility for considering and protecting people’s rights and interests. There are three elements to the basis of Legitimate Interest and it may be helpful to think of this as a three-part test. You need to:
- Identify a legitimate interest;
- Show that the processing is necessary to achieve it; and
- Balance it against the individual’s interests, rights and freedoms.
How do you use Legitimate Interest in practice?
When seeking to rely on Legitimate Interest as a lawful basis, you must balance your interests against the individual’s. If they would not reasonably expect the processing of their data, or if it would cause unjustified harm, their interests are likely to override your legitimate interests. It is good practice to keep a record of your Legitimate Interest Assessment (LIA) to help you demonstrate compliance if required and details of your legitimate interests must be included in your privacy notice.
How do you rely on Consent?
Consent can be a challenging lawful basis. Under the GDPR the threshold for valid Consent is high and potentially harder to achieve. It’s not mandatory, and other lawful bases (e.g. Legitimate Interest) may be more appropriate to use. If you pursue Consent then you must request it from the data subject, which may be fine when you are at an engaged stage of discussion or assignment. However, if you send Consent requests to your whole database or a large volume of candidates, then you have a substantial risk of no response. If you do not get a response, then you have no lawful basis to hold the data. Once you have gone down the route of Consent, you can’t fall back on Legitimate Interest which means you’d have to delete that data. And if you’re applying Consent for one assignment it will still apply to all the personal data held for those candidates which means you could lose them for future assignments.
Data Retention Policies: Preliminary Survey Findings
Question asked: How long are you planning to keep data in your database before reviewing or refreshing it?
Preliminary findings from the Invenias GDPR survey suggest that most search firms will take a longer-term approach when setting data retention policies, with over half of respondents opting for a retention policy of more than three years.
The GDPR states that personal data shall be kept for no longer than is necessary and the period should be limited to a strict minimum. In addition, time limits should be established by the data controller for deletion of the records or for a periodic review. Search firms should establish a policy, ideally with a formulaic basis and at present there’s no “right” answer. It may also be that different retention periods are established for different types of data.
How do you set your Data Retention Policy?
When establishing your policy, a good place to start would be consideration of the average time a candidate is in a role, or the average interaction period with a candidate from assignment to assignment, according to the types of engagement on which you focus. In a 2017 study of the top 1,000 US companies, Korn Ferry Institute found that the average tenure for a C-suite position is 5.3 years. When setting data retention policies, search firms should bear in mind the need for data to be accurate and up to date. It’s a legal requirement under the GDPR and ultimately better for your business.
What is clear under the GDPR?
Whilst we wait to see the true impact of the GDPR on the executive search profession, a clearly defined tenet of the GDPR is the requirement to demonstrate how you comply with the legislation. To meet this requirement, it is important that search firms have the right software and systems in place to record and report on their policies and procedures. Tools that offer a flexible framework to implement and manage decisions and actions across your business as well as providing support for responding to data breaches, Data Subject Access Requests and managing the Right to Be Forgotten will make GDPR compliance a less daunting proposition.
The GDPR: Confusion… Consensus… Clarity
The fact that the legislation isn’t industry specific presents a number of challenges as search firms look to define and implement their GDPR policies and procedures. Whilst there are key areas where there are not yet definitive answers, we are beginning to see clarity in the approach taken by leading search firms and their approach to GDPR compliance. The largest survey of executive search professionals, ‘The GDPR and Executive Search: What’s the Common Consensus’ provides insight into industry trends and offers organizations best practice guidance as the May 2018 deadline approaches. To request a copy of the full survey write-up, please email [email protected].
At Invenias, we believe that technology plays a pivotal role in assisting search firms on their journey to compliance. We are committed to supporting our customers with the tools to give them a flexible framework to implement, manage and clearly document their decisions and actions. To learn why over 1,000 organizations across the globe have chosen to partner with Invenias to guide them through the GDPR, please click here to request a free personalized demo with a member of our experienced team or visit www.invenias.com/gdpr