The Age of Consent – a GDPR Perspective
From May 2018, all organizations that handle the data of EU citizens will be required to comply with the GDPR, a single set of rules in relation to data governance, regardless of where the organization is located. The introduction of the GDPR will materially impact the way in which data is stored, shared and moved and will have a significant impact on the working practices of the executive search professional.
With less than a year to go, this article explores one of the more controversial elements of the new legislation, the legal basis for the processing of data. Whilst this has always been present in previous data privacy rules, under the GDPR, the bar has been raised on the requirement for Consent. This specific area of the legislation is particularly relevant to the executive search profession due to the volume of personal data held and processed about candidates and clients.
Under the GDPR there are a number of legal bases for processing of data, but for executive search, there appear to be two key conditions for consideration:
· Consent of the data subject
· Legitimate Interest
Do I need Consent?
A recent discussion paper issued by the ICO (the UK’s independent body set up to uphold information rights) in March 2017, suggests that Consent may not always be the best or most relevant legal basis. Often, pursuing Consent is impractical, complicated, easy to get wrong and confers additional rights on an individual which could heighten risk for companies. Whilst there are obvious advantages associated with a single set of data governance rules, sadly there is no black and white rule and the most appropriate legal basis will differ from organization to organization and across professions. For executive search, there are a number of scenarios where there would certainly appear justification for choosing an alternative basis to Consent. For example when adding a large number of candidates to a database or when conducting initial research on candidates, seeking Consent is simply not practical and could even be considered inappropriate.
What about Legitimate Interest?
In their recent discussion paper, the ICO suggest that Legitimate Interest may be the most appropriate legal basis in many cases, providing it doesn’t override the rights and freedoms of the data subject. And in most cases, with executive search it’s likely that it won’t override these interests or prove controversial to a candidate.
In addition, it certainly seems reasonable to assume that the holding and processing of current, up to date and relevant data on candidates is in the Legitimate Interest of an executive search firm and your clients and candidates.
Write it down
Whilst the most appropriate legal basis will differ dependent on circumstance and the requirements of your clients and candidates, whichever basis you choose to rely upon, the important thing is that you clearly record your decision and legal basis.
Given the recent guidance and the nature of executive search, it seems likely that many search firms will initially rely on the basis of Legitimate Interest to satisfy the GDPR in relation to their candidate databases, particularly at the research level. It is also perfectly feasible to seek to rely on Consent, and in fact, some clients may demand this for their assignments. However, it is worth noting that any Consent you have obtained to date is unlikely to satisfy the GDPR requirements and most advice points towards refreshing such Consent both prior to GDPR and regularly thereafter. Given the volume of candidate data held it is likely to be impractical and involve disproportionate effort to do otherwise. However, there is likely to become a point in any search process where obtaining Consent is appropriate and to be encouraged, especially when moving to the stages of candidate assessment or reference checking. This can be built in as part of the latter stages of the assignment process. Again, the key will be to ensure that the Consent obtained complies fully with the GDPR requirements outlined below.
Consent under GDPR
The key components of GDPR Consent include requirements to be freely given; specific; granular; clear; prominent; based on an active opt-in, statement or affirmative action; documented and easily withdrawn. You are required to notify data subjects that they have the right to withdraw their Consent and you cannot demand Consent as a condition of providing a service.
The GDPR defines sensitive data as information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Under the new legislation, the processing of sensitive data requires you to obtain Explicit Consent in relation to what is being done with that specific data. Explicit Consent differs from general Consent as a legal basis in that it is a requirement, not a choice.
The next steps
The first action you should take is to review the data you hold and why you hold it. It’s highly recommended that you undertake a Privacy Impact Assessment (PIA), showing that you take Data Privacy seriously and have it at the heart of what you do. There are PIA templates available, including on the ICO website, and as part of the process you should also look to your local Data Protection Authority to guide you as to whether you should rely on Consent or whether Legitimate Interest is a better option.
The most appropriate legal basis for the processing of data will vary dependent on circumstance and client requirements, but one thing that is perhaps more clear cut is the need to clearly document the legal basis under which you seek to rely upon.
The Invenias solution
At Invenias, we know how much our customers rely on us to ensure data protection is at the heart of the design, build and operation of our platform. Our most recent initiatives support the latest developments in data privacy and GDPR with dedicated features and functionality to assist with compliance. For additional information and resources relating to the GDPR, visit www.invenias.com/gdpr or email firstname.lastname@example.org.
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
CFO & Chief Information Security Officer