Invenias: “The good news with GDPR is the credibility”

With the implementation date for GDPR fast approaching – 25 May 2018 for those who don’t have it imprinted on their brain already – many firms are gearing up for the change.

With the implementation date for GDPR fast approaching – 25 May 2018 for those who don’t have it imprinted on their brain already – many firms are gearing up for the change.

Whilst Search firms are being asked to comply with a whole raft of GDPR necessities, processors – the companies that Executive Search firms work with, including platform providers – have also got increased liabilities and responsibilities as a result of the legislative change.

To find out what this will mean for platform providers, we spoke to Andy Warren, CFO & Chief Information Security Officer at Invenias. Warren laid out how, if at all, GDPR would change the Search marketspace, where new responsibilities lie and what GDPR contracts will need to look like.

Speaking exclusively to Executive Grapevine, he explained: “The ICO have released a consultation paper on processors and controllers (Search firms) and what will have to happen as a result. Contracts will have to change to write out the new obligations: what’s the controller liable for and what is the processor is liable for.

“Our contracts already include a lot of those clarifications. We’ve already planned for that but we’ll be adding some additional pieces to make that clear and our clients will want that anyway. GDPR is about going through that process.”

With a lot being made in the relevant medias about the new responsibilities that fall on data processors – those, like Invenias, who process data for Executive Search and recruitment businesses – it’s important that Search firms choose processors who understanding and comply with changes.

“The obligations for us are to have the technical and organisational measures and secure environment to satisfy and fully comply with GDPR,” explains Warren. “That doesn’t prevent the controller from being responsible, they have to have their own technical and organisational measures but they can rely on ours too.”

And, although Search firms will be working to ensure they partner with compliant processors, what about the risk to the platform providers of partnering with a rogue Search firm who aren’t taking their responsibilities seriously?

“If the search firm is not upholding their end of the deal, there’s limited risk to the platform provider as long as they’ve done what’s expected. There is unlikely to be shared liability. It’s either on the processor or the controller. If there’s a problem, the ICO would look at the controller and ask did you do enough due diligence, did you check that your processor or the person you relied upon to handle your data had adequate security and adequate processes? It doesn’t flow quite the same way from processor to controller, where a processor has to follow the controller’s lawful instruction.

And, despite the panic, the questions and the changes of process, not to mention changes to contracts, that have come about, Warren believes there is good news to come of change.

“The good news about GDPR is the credibility – the knowledge that data is being looked after properly and is up to date and is secured. The companies that play fast and loose and have a scattergun approach to blasting CVs out are the most likely to suffer and many could go to the wall. For a credible Executive Search firm, following the right procedures, if anything they’ll get more business because clients will demand that level of compliance and demand that they can demonstrate it. That’s the benefit.”

With the May 2018 deadline fast approaching, Invenias are hosting a complimentary breakfast briefing ‘How to Prepare for the GDPR’ on 15th November 2017 at No. 11 Cavendish Square, London.