July 20, 2018 – The European Union’s General Data Protection Regulation (GDPR) recently went into effect and is expected to have a tremendous impact on executive search firms across the E.U. – including the U.K. – and how they handle personal data. GDPR also affects U.S. recruiting firms and others that collect and process information about individuals living in the E.U., no matter where they are located. For many in the search industry these are uncertain days, with two-thirds of executive recruiting firms concerned they could be exposed to heavy fines under GDPR, according to research released by executive search software platform Invenias.
The law, which was passed two years ago, is designed to protect individuals from threats to privacy in this still emerging digital age. GDPR, in a nutshell, brings greater transparency to data privacy and personal information storage through explicit consent. And it allows E.U. citizens access to their personal data that is being held by organizations and, if they wish, to opt out.
VP, Project Management Wanted at McGraw-Hill Education
You’ll be a key player in driving innovative processes that will impact its business objectives. You’ll be analytical to drive customer value, yet collaborative to build and motivate a high-performing team. Apply on Ezayo!
Under the new law, personal data is defined as “any information related to a natural person or ‘data subject,’ that can be used to directly or indirectly identify the person.” That information might be bank details, medical information, a computer IP address and more.
While the U.K. and the European Union continue to work on the details of Brexit, how GDPR ultimately plays out in the U.K. remains unsettled. It is in effect there now, however, and is likely to continue in one form or another after the formal separation, scheduled for March. Among the requirements of the law: Individuals must consent before organizations can maintain or make use of someone’s personal information; cyber breaches must be reported within 72 hours; and people have the right to have their information deleted and stop it from being made available to others.
More Data Privacy for the Individual
In this brand new episode of ‘Talent Talks,’ we delve into the recent developments of the GDPR from an executive search perspective with our host Andrew Mitchell and Anthony Harling, founder and chief commercial officer of Not Actively Looking. “We’re entering an era where individuals want to manage their own data,” said Mr. Harling. “People want to control their own data, and that is going to drive how search firms behave going forward.” Listen Now:
Anthony Harling, co-founder and chief commercial officer of U.K.-based Not Actively Looking, recently sat down with Hunt Scanlon Media to discuss the new law and its impact on executive recruiters. Mr. Harling, whose company is a U.K.-based global matchmaking platform for senior executives and executive search firms, knows the search industry from front to back. He has 25 years of experience in the search sector, including stints with Heidrick & Struggles and Eric Salmon & Partners.
Anthony, how will GDPR impact executive search firms?
GDPR certainly isn’t going to be the disaster that many people in the executive search industry thought it would be. It’s going to change the way that we do certain things, for sure. But, as I see it: Good GDPR = good business. The focus of GDPR is on changing the way that organizations handle personal information.
What changes do you see coming as a result?
I see three main changes for the executive search industry: Given the need to notify individuals when they create a record and the requirement to keep information accurate and up-to-date, search firms are going to have to be much more careful about adding people to the database. People will also want to control who can access confidential information such as salary expectations and future career aspirations. This is the era of the self-managed profile. It puts the individual in charge of his or her personal information. We’re also going to see a change in the way that search firms share information with clients. If you send a progress report to clients that contains the names of potential candidates, not only do you have to inform those people in advance, but you may also create a GDPR liability for your clients. Suddenly the online client portal becomes an essential element of the executive search process, a safe and secure way to keep clients in the loop, not just a fancy tool for a few select firms. GDPR is already ushering in new systems and processes, new ways of working. The best search firms are definitely becoming more professional in the way that they do things, more careful about how they handle personal information. These firms will expect a certain standard when it comes to the way that they work. They also need systems and tools that are designed to meet the requirements of GDPR. It’s forcing firms to re-evaluate the tools at their disposal.
What can search firms do to prepare for this new regulation?
By and large most search firms in Europe are already getting to grips with the requirements of GDPR. The new regulation affects any organization doing business in Europe, so any international firms need to take note. GDPR requires search firms to adopt a whole range of policies and procedures. Firms must review what personal information they hold, how that information is handled, and what policy they have for keeping that information. They also need to publish their data privacy and data retention policies on their website. A key element of GDPR is transparency. You have to notify everybody on your database within one month that you are holding their information, what it’s being used for, direct them to your data privacy and data retention policy, and also spell out exactly what their rights are under GDPR. Under GDPR, individuals have the right to see what information is being held and the right to ask for that information to be deleted. Search firms need to make sure that they have systems and processes that make all of this possible. Otherwise there’s a real danger that search firms are going to be swamped by things like Data Subject Access Requests.
“GDPR certainly isn’t going to be the disaster that many people in the executive search industry thought it would be. But it is going to change the way that we do certain things, for sure.”
Data Privacy Laws and How They Might Affect You
The European Union’s data privacy law, GDPR, went into effect last month. Executive search firms are concerned they may be subject to fines for lack of compliance. Andrew Trksak, director of product management for software company Thrive, examines the law and his firm’s efforts to help its customers comply.
What effect will Brexit have on GDPR?
In the U.K. the supervisory body for ensuring the proper implementation of GDPR is the Information Commissioners Office, the ICO. The information commissioner has made very clear that the U.K. is going to adopt the new regulation in full, regardless of Brexit. This means that the U.K. is fully signed-up to GDPR. Brexit isn’t going to make any difference at all. In fact, I see other countries and other regions adopting some kind of new data privacy laws in the fairly near future. I would expect some sort of regulation to come in the U.S. before too long. Good search firms everywhere need to start thinking seriously about how they handle personal information.
How has Not Actively Looking prepared for GDPR?
Not Actively Looking was actually ahead of the curve on a lot of this stuff. We launched our global candidate portal well in advance of GDPR. We’ve built a tool that allows executives to share confidential information with selected search firms. Search firms can direct unsolicited CVs / unsolicited resumés to Not Actively Looking, thereby allowing the executives to create a self-managed profile that they themselves control. It’s a win-win for search firms and for executives. We’ve also created a radical new search system that is browser based and fully GDPR compliant. It includes a GDPR Compliance Manager to help firms manage all of their GDPR notifications, subject access requests and the right to be forgotten. Having an old-fashioned out-of-date system to manage your assignments is just too risky for search firms these days. We’ve created our system with one goal in mind: to make things simple. GDPR doesn’t have to be burden that cripples your business.
Thus far, what have you seen now that GDPR is in effect?
I’ve noticed a few things. Apart from the flood of emails that we’re all getting from organizations that we didn’t even know were holding our personal data, search firms are really starting to tighten things up. Holding thousands and thousands of records on your proprietary database is now seen to be more of a liability than an asset. Search firms are deleting a lot of old records, directing more and more of their contacts and candidates to become self-managed profiles. Quite rightly, in my view, search firms are now being much more careful about how they handle personal data. It will take a while for things to settle down, but search firms are generally getting much smarter about how they handle the GDPR notifications, making sure that they inform people when they create a record and things like that. Don’t get me wrong: There is still work to be done, but most firms are on track to building good data privacy into their everyday business. I think people in general are already much more aware of the need for good data privacy. We care about who has access to our personal information and what they do with it. Some of the recent data breaches and some instances where data has been misused have brought data privacy issues into the headlines. Fortunately, it hasn’t yet involved any of the top-level executive search firms. Let’s hope it stays that way.
Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; Stephen Sawicki, Managing Editor; and Andrew W. Mitchell, Managing Editor – Hunt Scanlon Media