May 19, 2017 – One year from now, the European Union’s General Data Protection Regulation (GDPR) goes into effect. The law will have a tremendous impact on how companies, government agencies and, yes, executive search firms across the E.U. — including the U.K. — handle personal data.
Ignore the law and you can expect tough penalties for failing to comply. What’s not been discussed much: U.S. recruiting firms and others that collect and process information about individuals living in the E.U., no matter where they are, are also affected.
For all the benefits the digital age has bestowed, it has brought a degree of risk to individuals, particularly when it comes to privacy. The new law will crack down on such intrusions, mandating stricter protections of personal data. Among the requirements: individuals must consent before organizations can maintain or make use of someone’s personal information; cyber breaches must be reported within 72 hours; and people have the right to have their information deleted and stop it from being made available to others.
Abuse of Personal Data
“In Europe, in particular, there has long been a widely-held concern about the use and abuse of personal data,” said Anthony Harling, co-founder of Not Actively Looking, a U.K.-based online platform that allows senior executives to confidentially make their career information available to selected executive search firms.
“It’s not just about spam and unwanted marketing messages, it’s also a fear of ‘Big Brother’ gathering information about us. We don’t know what information they’re holding and what they’re doing with that information. GDPR will change the way that things are done, particularly for the recruiting industry.”
Mr. Harling, who has 25 years of experience in the search sector, including stints with Heidrick & Struggles and Eric Salmon & Partners, said the new law also goes well beyond databases: It also affects human resources records and IT systems. Mr. Harling, who emphasizes that he is not an attorney and that every search firm must seek its own legal advice, said for most firms it is indeed their IT set ups that could cause them the greatest problems.
“Many of the changes required by GDPR concern the way that the search firms obtain consent and require the implementation of proper policies, training and procedures,” said Mr. Harling. “It’s about defining your policies, making them transparent, and adhering to them. Under the terms of GDPR, it’s no longer sufficient to say that we have always done things that way, or that we assumed consent because the candidate sent us his CV or resume.”
In certain cases, he noted, a search firm might be able to argue that they had a ‘legitimate purpose’ in holding certain data, but this is not a catch-all category that covers every situation. “Provided that search firms put in place the right policies and procedures, they should be able to operate in the future in a manner that is GDPR-compliant. Deciding how to deal with historic data, however, might also be a significant challenge.”
7 Ways to Evaluate Your Executive Search Firm
Executive search firms are everywhere. So, how to choose among them? One recruitment provider offers up seven questions to ask when selecting a search firm, while several others weigh in. Let’s see what they all have to say.
Under the new rules, organizations must notify individuals about whom they hold historical personal information and give them a chance to view, amend or delete the record. “The bottom line is that search firms need to assess what data they are holding and review what they do with it and how they are going to operate from now on,” said Mr. Harling. “Starting sooner rather than later is a good idea.”
And don’t think that it just the big five firms or expensive search consortiums that are under siege. Even a mid-sized boutique could be storing records about tens of thousands of individuals, Mr. Harling said. Much of that data is incomplete or out-of-date. Still, search firms will have to decide what to keep and what to discard.
“For those that they keep, search firms will be obliged to contact the individual concerned and make them aware of the information that is being held,” Mr. Harling explained. “The workload involved is going to be significant and it cannot be ignored. For all executive records in the database, whether general contacts or relationship contacts, firms will need to make a decision and act accordingly. The smart firms will work out a way of using this to their advantage but the clock is ticking.”
Ignoring GDPR would probably be a big mistake. Failure to comply with the regulations could result in big financial penalties of up to $25 million or four percent of global turnover, whichever is the larger, plus damages to everyone affected by the breach.
“In short, hundreds, if not thousands, of search firms need to wake up and work out how GDPR impacts their business and what they are going to do to ensure that everything is GDPR-compliant,” said Mr. Harling. “In the event that a number of search firms decide to ignore the new regulation, then it’s to be expected that the E.U. will take some sort of action to show that they mean business. Few search firms could survive the fines, but beyond that the reputational risk is also at play here.”
Help On the Way
Assistance, however, is available. Specialist GDPR consulting firms that focus exclusively on the executive search industry have sprouted up and can show firms what they must address, the documentation they will need, and what they should be doing as they move forward.
Preparing one’s employees about the regulations is a particularly important step. “Under GDPR it’s not sufficient to say that you thought everybody in the firm had been told,” said Mr. Harling. “You need to demonstrate that all staff have received proper training and that all the appropriate safety procedures are in place to ensure GDPR compliance.” Even if we don’t know what full compliance actually looks like, he said, you do need to demonstrate that you are putting the appropriate policies and procedures in place throughout to cover business processes and working practices of all your employees.
Search firms will have to make tough decisions about databases, which historically at least have been considered among their most vital assets. “Existing regulation in the U.K. and in many European countries already makes it clear, for example, that search firms should not store the dates of birth of potential candidates in the database,” said Mr. Harling. “However, many firms still rely on database systems that were developed before these regulations came into effect and some continue to record information that should not be there.”
There are also some records where comments from colleagues about an individual would make for uncomfortable reading if they were shared with the data subject,” Mr. Harling said. “Comments written years ago, never meant to be seen by the executive, could be problematic if the subject of the comments is unhappy about what was written. Again, under existing regulation the individual already has the right to see any information or comments that are being stored, either on paper or electronically. These things need to be cleaned up.”
Five Tips for Recruiting Best-In-Class Talent
Finding the best employee to fill a role is crucial to any organization, but it rings especially true for top positions. Here are five suggestions from one leading executive recruiter to separate the best from the rest.
Before making any decisions, recruiters should determine what individuals are in their database and the purpose of those records. Client contacts, for example, are often stored on the main database alongside potential candidates, said Mr. Harling. “Any professional services firm will want to record the names and contact details of clients, but there may be other ways of handling client information while still ensuring that colleagues don’t accidentally approach recent clients as potential candidates,” he explained. “Whatever happens, search firms will need to decide which records to keep, which to review and which they are simply going to delete.”
Leaders at some recruiting firms, meanwhile, are considering whether they should develop their own GDPR solution. “Some search firms may be developing tools to allow executives to view, amend or delete their database records, but not many are going down that route just yet. Most search firms are waiting to see what the software vendors are going to come up with. This may turn out to be highly complex and also costly. Self-management of records is going to ultimately be the best way.” The very large global recruitment provides may decide to spend huge amounts of money developing some kind of GDPR solution, he said. “Even so, they will still need to work out how to clean up the data before the executives have access.”
Search firms must resolve how to deal with legacy data, what information to keep, how to communicate with the data subjects and how those people are going to view, amend or delete their records, said Mr. Harling. “All of this is going to be complex,” he noted, “but that still isn’t going to be sufficient to cover the development of policies and procedures, the training and the technical safeguards required by GDPR.”
To many, GDPR looks to be an expensive exercise that will only make it more difficult for executive search firms to do their work, but Mr. Harling tends to see the glass as half full rather than half empty.
“I believe that the new regulatory changes addressed by GDPR offer both risk and opportunity,” he said. “Adherence to the new regulation will involve abandoning old ways of working, being open to new ideas and priorities, and bringing the industry into the modern age. Change, although sometimes painful, is not a bad thing. It drives people forward. Industries, like people, must evolve to survive.”
Contributed by Stephen Sawicki, Managing Editor and Scott A. Scanlon, Editor-in-Chief – Hunt Scanlon Media