In the latest edition of Recruitment Grapevine Magazine, Andy Warren, Chief Information Security Officer and CFO at Invenias reflects on the requirement for consent under the GDPR, and the practical steps organisations should take to prepare for the new legislation.
This article was originally published in the August 2017 issue of the Recruitment Grapevine Magazine.
The introduction of the GDPR in May 2018, will have a significant impact on the working practices of the executive search professional. For an overview of the new legislation, read The GDPR: what is it and what does it mean for Executive Search?
With less than a year to go, this article explores one of the more controversial elements of the GDPR, the legal basis for the processing of data. Whilst this has always been present in previous data privacy rules, under the GDPR, the bar has been raised on the requirement for Consent. This specific area of the legislation is particularly relevant to the executive search profession due to the volume of personal data held and processed about candidates and clients.
Under the GDPR there are a number of legal bases for processing of data, but for executive search, there appear to be two key conditions for consideration:
• Consent of the data subject
• Legitimate Interest
Do I need Consent?
Perhaps not, as a recent discussion paper issued by the ICO (the UK’s independent body set up to uphold information rights) in March 2017, suggests that Consent may not always be the best or most relevant legal basis. Often, pursuing Consent is impractical, complicated, easy to get wrong and confers additional rights on an individual which could heighten risk for companies. Whilst there are obvious advantages associated with a single set of data governance rules, sadly there is no black and white rule. For executive search, there are a number of scenarios where there would certainly appear justification for choosing an alternative basis to Consent. For example when adding a large number of candidates to a database or when conducting initial research on candidates, seeking Consent is simply not practical and could even be considered inappropriate.
What about Legitimate Interest?
The ICO suggest that Legitimate Interest may be the most appropriate legal basis in many cases, providing it doesn’t override the rights and freedoms of the data subject. And in most cases, with executive search it’s likely that it won’t override these interests or prove controversial to a candidate.
In addition, it certainly seems reasonable to assume that the holding and processing of current, up to date and relevant data on candidates is in the Legitimate Interest of an executive search firm and your clients and candidates.
Write it down
Whilst the most appropriate legal basis will differ dependent on circumstance and the requirements of your clients and candidates, whichever basis you choose to rely upon, the important thing is that you clearly record your decision and legal basis.
Given the recent guidance and the nature of executive search, it seems likely that most search firms will rely on the basis of Legitimate Interest to satisfy the GDPR. It is also perfectly feasible to seek to rely on Consent, and in fact, some clients may demand this for their assignments. However, it us worth noting that any Consent you have obtained to date is unlikely to satisfy the GDPR requirements and most advice points towards refreshing such Consent both prior to GDPR and regularly thereafter.
Consent under the GDPR
The key components of GDPR Consent include requirements to be freely given; specific; granular; clear; prominent; based on an active opt-in, statement or affirmative action; documented and easily withdrawn. You are required to notify data subjects that they have the right to withdraw their Consent and you cannot demand Consent as a condition of providing a service. The processing of sensitive data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data requires Explicit Consent. Whilst the processing of sensitive data is probably less likely in executive search outside specialist companies, Explicit Consent differs from general Consent as a legal basis in that it is a requirement, not a choice.
The next steps
Review the data you hold and why you hold it. It’s highly recommended that you undertake a Privacy Impact Assessment (PIA) and there are templates available on the ICO website. You should also look to your local Data Protection Authority for guidance as to whether you should rely on Consent or whether Legitimate Interest is a better option.
The most appropriate legal basis for the processing of data will vary dependent on circumstance and client requirements, but one thing that is perhaps more clear cut is the need to clearly document the legal basis under which you seek to rely upon.
The Invenias solution
Invenias’ most recent initiatives support the latest developments in data privacy and GDPR with dedicated features and functionality to assist with compliance to learn more, request a free no obligation demo with a member of our experienced team.