The implications for firms, clients and candidates of executive search and leadership consulting.

In a sweeping overhaul that has world-wide implications, the joint European Union, European Commission General Data Protection Regulation (GDPR) imposes new obligations on the companies that collect and store European individuals’ personal data, gives individuals expanded control over their personal information, and dramatically raises the stakes of not complying with data protection law.

Years in the making, the GDPR will start being enforced on May 25, 2018. Executive search and leadership consulting firms and their clients are preparing now to be ready.

Karen Greenbaum, AESC President and CEO, emphasizes that data privacy and data security have always been critical to earning and keeping the trust of clients. “As a profession, we have a long history of confidentiality and trust. We deal with top executive candidates and clients looking to fill their most important executive positions. Members of AESC have led the way for many years in terms of best practices when it comes to data privacy and data security, GDPR definitely adds more regulation to this commitment of data privacy and security and we are helping to ensure that our members are ready for May 25 of next year.”

Matthew Herman, AESC Task Force member and Associate General Counsel at Russell Reynolds describes the GDPR’s impact on the executive search and leadership consulting industry. “Every aspect of our business is affected, as every aspect deals with processing the personal data of individuals,” he says. “Whether that’s executive searches, whether that’s mappings, whether that’s assessments, each of those lines of business requires the processing of somebody’s personal information.”

He adds “our lifeblood is the information that we have about people, and the GDPR is designed to regulate the processing of that information.”

David, Peters, Group Finance Director, Odgers Berndtson emphasizes that “despite the new legislation, handled correctly, executive search and leadership firms should not be frightened by the new legislation. Indeed, it will help firms to demonstrate that candidates and clients can trust search firms with their personal data.”

What has changed

The GDPR is, in large part, an evolution of the 1995 Data Protection Directive upon which most of Europe’s national laws on data protection are based. Among the most notable changes are the penalties for non-compliance, the reach of the regulation, the expanded rights for individual data subjects, the requirement for consent, and added responsibilities for reporting problems and documenting compliance.

Penalties: Under the new legislation, maximum fines for a data protection violation can reach the greater of €20 million or 4% of global turnover. Tim Hickman, who was recently promoted to partner at White & Case LLP, advises AESC on the impact of the General Data Protection Regulation (‘GDPR’) on the executive search profession. “You’re going from a situation where the fines are too small to have very much impact, given that the risk of incurring a fine was quite low, to a situation where the risk of incurring a fine only goes up moderately but the consequence of that fine increases astronomically.”

Territorial scope: The reach of the GDPR has significantly expanded, as well. The new law applies to any business that directly offers goods or services to EU residents, regardless of where the business is located, and even if it has no physical presence in the EU. Hickman describes “a fairly aggressive extraterritorial land grab by the EU, basically saying even if you are outside the EU, if you want to do business in the EU with consumers you must play by Europe’s rules.”

Individual rights: The new regulation also codifies the rights of individuals with regard to their personal data, including among others the right of access to information collected about them, the right to correct their information, the right to notification, the right to be forgotten.

Automated decision-making is a challenge in the search context, as well. Under the regulation, data subjects have the right not to be subject to a decision based solely on automated processing. Bryan Ackermann is Chief Information Officer at Korn Ferry. He says, “all the search firms are trying to leverage more technology and machine learning into our search process, to improve client match and reduce the time to fill – that’s an area where we have a watchful eye on the pieces of GDPR that speak directly to not using personal data exclusively for the purpose of automated decision-making around employment.” He emphasizes “That is prohibited, so we are ensuring that the human element is always at play, and that we are not leveraging technology only in our search filters.”

Greenbaum adds, “In our profession, there is both an art and a science to the work we do. We take great pride in the years of experience we bring to each assignment, as trusted advisors. Yes, technology has enhanced much of what we do…and will continue to do so. But it does not replace our industry, market and candidate assessment expertise.”

Legitimate interest versus Consent: Firms require a legal basis for processing data, and, for our profession, this can be having a legitimate business interest or obtaining consent. Hickman explains, “It is expected that legitimate interests will cover many of the processing activities that executive search firms undertake. However, consent may be required when sensitive information is processed.”

Under GDPR, lawful consent has become significantly harder to obtain. Consent must be “freely given, specific, informed and an unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Greenbaum says, “there may be times when obtaining consent becomes important. For example, consent is often received before proceeding with psychometric testing or background checking. This is already a best practice and is even more important under GDPR.”

Indeed, a lot has changed under the new regulations. “Everyone is more at risk: the fines are higher, there promises to be more even enforcement, so everyone is a little more at risk than they were yesterday because the stakes are higher now,” says Heath Brewer, AESC Task Force member and General Counsel at Spencer Stuart.

Brewer says. “We use a relatively compact set of data. It tends to be the personal information of people who are business-savvy; people who are sophisticated users of our service who know what we’re doing in the market, versus a shadowy tech company selling personal data to advertisers.”

The role of AESC

Transparency and confidentiality are cornerstones of the AESC Code of Professional Practice, and the new GDPR regulations align with the standards of the executive search and leadership consulting profession. AESC is working with European regulators to develop data privacy and security guidelines for the benefit of AESC member firms. AESC offers its members training, education and opportunities for peer-to-peer discussions, and is actively working with legal firm White & Case to interpret the regulation on behalf of the profession.

Greenbaum says “As the association for our profession worldwide, representing only the very best firms, we know how important it is for us to ensure that our members are aware of the regulations that impact the critical work that we do with clients and top executives. Compliance is critical and oftentimes it is only a “minimum standard” to the care that our members take in the work that they do.”

According to Hickman, “There’s no legal obligation for AESC to help its members be compliant, but there are obvious attractions to it. One of those is to ensure that member firms in the executive search and leadership space are aligned in terms of their approach to GDPR compliance, and establishing industry best practice,” he says.

Roles and Processes and why they matter

The new rules are already weighing on executive search and leadership consulting firms and their clients. “I probably have one conversation a day with a client about data protection, Brewer says. “The most sophisticated are already sending us in-depth questionnaires and putting us in touch with their data protection people. In other cases, many clients are feeling their way through this at the same time as the industry, so that in some cases it’s a dialogue with clients. They want to know what we’re doing, we want to know what they’re doing, and we’re educating each other and making decisions together about how we are going to tackle this new regulatory landscape.”

And it is a new landscape.

ACCOUNTABILTY is greatly expanded: in terms of accountability, the GDPR sets out detailed expectations of every entity that handles personal data within the chain of possession. The legislation closes some loopholes while it defines and broadens the responsibility for data protection.

Brewer explains “there are two sides of the coin in the regulation: there is a data controller and a data processor. If you are a data controller, you are seen as the manager of the data: you dictate who has access to it, you can make decisions about who can delete it, what happens to it. You regulate the use of the data. If you are a data processor, you are taking information from the data controller and following the rules which have been set out between the two organizations.”

By expanding responsibility and liability, GDPR holds both data controllers and data processors to a higher standard of accountability, and also holds data controllers liable for the compliance behavior of their processors.

“GDPR says that we now, as data controllers, are responsible for the behavior and the compliance of any data processors, these third parties that help us deliver the product or service,” Ackermann explains. “That ranges from infrastructure providers to software providers, to variable labor—contract consultants, contract recruiters who may help us deliver a product or service. That’s a huge change,” he says. “Now, not only are they in scope, now the controller—the owner of the decision on how a person’s data is handled—has to stand up for the performance of any third party vendors.”

And in the world of executive search and leadership consulting, it’s even more complicated. “I have had a lot of discussions with clients about who is the controller of candidate data,” Brewer says. “The data controller can direct the processor to delete data. That means if a client was the controller, they could require us to delete our candidate data, and that doesn’t make sense for our business. This is a real, live point that we chat with clients about all the time.” The ideal relationship may be that of joint controller.

Greenbaum adds, “We need to be sure our members understand their important role as data controllers and that they are well-prepared to ensure that clients understand this as well. We maintain candidate data bases and have a legitimate business reason for doing so. This legitimate interest is, in fact, not automatically transferred to the client. They need to understand their own responsibilities for data privacy and security.”

Roles and responsibilities under GDPR will become familiar conversations, with firms and clients still figuring out how this will work as the regulation becomes law.

LAWFUL PROCESSING of personal data is dependent on establishing legal bases: either consent or legitimate interests.

Hickman explains “firms require legal bases on which to process data. Consent is one legal basis. Legitimate business interest is another, which works by balancing the legitimate interests of a business against those of the individual. It is expected that legitimate interests will cover many of the processing activities that executive search firms undertake. However, consent may be required when sensitive information is processed.”

Greenbaum emphasizes “For our profession, we have a legitimate business interest for maintaining candidate and potential candidate data. It is core to what we do and we take our responsibilities around data security and confidentiality seriously. We want to be sure our members know their responsibilities in terms of providing appropriate notice regarding their maintenance and processing of personal data.

According to “Unlocking the EU General Data Protection Regulation: A practical handbook on the EU's new data protection law” published by law firm White & Case LLP, “Processing is permitted if it is necessary for the purposes of legitimate interests pursued by the controller (or by a third party), except where the controller's interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects which require protection, particularly where the data subject is a child.”

The article’s authors suggest that in order to prepare for GDPR, organizations should, “where a legitimate interest is the basis for processing, maintain records of the organisation's assessment of that legitimate interest, to show that the organisation properly considered the rights of data subjects.”

As explained earlier in this article, the GDPR has redefined what constitutes consent. Under the regulation consent must be “freely given, specific, informed, and unambiguous.” The law mandates “a statement or a clear affirmative action” and “explicit” consent for the processing of particularly sensitive information, defined as race, sexual orientation, health, and other data.

DATA PROTECTION BY DESIGN AND BY DEFAULT, directs organizations to demonstrate that data protection is built into the design of new goods and services, at the earliest stages. In addition, the provision requires that the strictest privacy settings are applied to an individual’s personal information automatically: by default, rather than as a result of further action/selection by the data subject. The rule also instructs processors to only hold an individual’s personal information for as long as necessary.

“Certainly as we are all trying to innovate and differentiate ourselves from our competition we are doing things differently, and we have to imbed the discussion around data privacy much earlier in the life cycle,” Ackermann said. “And not just from a technology perspective, but from the actual lifecycle of product development. That is really different, and a very difficult thing to do; I have to imbed that in the business.” Ackermann asks a challenging question: “How do you balance innovation and protecting the privacy rights of the individual?”

DOCUMENTING COMPLIANCE is likely becoming a particularly challenging requirement under the GDPR, significantly increasing the administrative responsibilities of data controllers and processors. The regulation directs organizations to integrate data protection safeguards into their processes and maintain robust records of their data processing activities.

According to Andy Warren, CFO and Chief Information Security Officer at software provider Invenias, “it’s not just that you comply, but that you demonstrate how you comply. So the importance of having written policies and processes and recording everything you do becomes paramount.” He adds “GDPR talks about having data protection at the heart of everything that you do – it’s one of the opening statements in the legislation. That is a shift for companies in the way they look at their business.”

The law demands much more than a robust data privacy and security policy. Herman says “we have to be sure that we can document that we’ve provided sufficient notice or obtained consent, that we have an independent legal basis for processing every piece of personal data that we have. We need to be able to document the types of data that we have in our possession and demonstrate an independent legal basis for processing each individual subject to the GDPR.”

The demands of the law may require organizations that work with individuals’ personal information to undergo a transformation throughout the organization, affecting policies and processes, and perhaps even reshaping how organizations conduct their day-to-day operations.

David Grundy is CEO and co-founder of executive search software provider Invenias. “Once you get into the real detail,” he says, “you can lose some of the essence of what the legislation is intending to provide for. The legislation is there to protect the citizen, it’s not there to protect the data. And once you get into an executive search assignment, all of the parties—the firm and the client—are going to want to take a look at one another and say: do we all understand the importance of protecting and respecting the individual that’s being discussed here?”

Breach reporting: According to the UK’s Information Commissioner’s Office “The GDPR will introduce a duty on all organizations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected.” Even what appears to be a relatively minor breach may be reportable; it depends on the information, and whether the breach put anyone at risk.

“GDPR imposes this 72 hour deadline from the point at which an organization first becomes aware of a breach to the point at which the organization has to report the breach to the data protection authority,” Hickman explains.

“In the first 72 hours of any data breach you know nothing. The difficulty is, it’s going to be very hard to keep a lid on any investigation once you’ve made a formal report to a regulator, because the regulator owes you no duty of confidentiality.” He adds “So AESC member firms need to get used to the idea that every now and then they are going to have to file some fairly uncomfortable paperwork on very short notice.”

The implications for firms, clients, and candidates

For executive search and leadership consulting firms, the commitment to confidentiality and respect for an individual’s private information are already core values of the profession. GDPR dramatically expands the application of those values, and will transform how many firms’ approach data security and data privacy.

Peter Lagomarsino is a partner in the global due diligence firm Mintz Group LLC. “We're moving into a more serious climate for following the basic tenets of responsible background screening, including getting the appropriate candidate consent, only reporting information that is accurate, up to date and relevant to the assignment at hand, handling data in a secure manner, and deleting data at the required time.” He says “Search firms and their clients should insist that their background screening providers meet these standards, whether those providers conduct full bore background checks or something limited such as verifying degrees.”

According to Ackermann, clients aren’t waiting for May 25 to ensure their vendors are following the rules. “The first question clients ask is 'where is your data stored?' Even though a single location is not called out in the GDPR, the regulation has strict rules about data transfer." Ackermann says, “if the answer is 'in the EU,' the rest of the discussion is much more straightforward. But if the answer is 'in the US,' they take out the rulebook and say 'let’s start with page 1.' Where the client has new and tougher obligations they have to adhere to, that makes our conversations more difficult.”

Ackerman and others describe what may be the new reality for executive search and leadership consulting firms. Hickman adds “you see it in the business to business world, clients asking, ‘how are you going to keep my data protected?’, and for AESC member firms that question will come from both their clients and from the candidates. It adds pressure to get compliant.”

Many clients already recognize the implications of GDPR and their own responsibilities and liabilities. And the issue is more than steep fines. Herman says, “Why does this matter to clients? It matters in the same way any other regulation matters. The failure to comply creates material risk for their organization both legally and reputationally. Think about the stock price impact of Target or Home Depot’s or Equifax’s data breaches. Imagine the loss of trust and confidence that may occur with an organization because they selected a vendor who lacked sufficient standards.”

Few businesses anywhere can afford to cut their businesses off from the continent of Europe. From his perspective in New York, Herman says “Unless you want to stay restricted entirely in the United States, you need to have a data privacy program in place and know what you’re going to do to be in compliance with the GDPR and other relevant data protection requirements around the world.”

Andy Shapiro, co-founder at software provider The Cluen Corporation says “This is one thing that should be a priority for every size hiring authority. In terms of the recruitment context, pay attention to it today, and prioritize it before it becomes a problem.” He adds, “The bottom line is, follow the law.”

Candidates, as data subjects, have the most to gain from the GDPR. Brewer looks at data protection from this perspective: “To a client, it means I’m not going to be sued by a client, and my organization is not going to be embarrassed in the market. But the candidate wants to know their data is safe, and not just sensitive information from a legal definition, but information that is significant to them, that if not treated properly could threaten their livelihood.” He warns, “If their employer finds out they are talking to a search firm, that could be a job-ending event.”

Attitudes about an individual’s personal information are evolving, and that is reflected both in the business of data and in the protection afforded by the GDPR. As more individuals understand their rights, they may begin to exercise them.

According to Warren, “Candidates are increasingly understanding how their data becomes a valuable commodity, so whilst people have got used to the world of social media where they put and share lots online, people are also saying well, actually, I only want to share my professional career data with people that I trust.”

From Brewer’s perspective, “The candidates are the controllers of their own data here, and in many ways the regulation and all the steps the industry has to take are all based around candidates and protecting candidate data.” He believes “It’s of the utmost importance to signal to candidates that the industry and each AESC member firm are taking appropriate steps to protect their data.”

The worst-case scenarios

Hickman offers this sobering thought. “Think about the consequences a data breach could have in terms of candidates, for example if it becomes public knowledge that the CEO of a publicly listed company was busily interviewing with three or four other companies.” He says, “that has a potentially huge impact on stock prices and very serious ramifications for the career of that candidate.”

The risks of a data breach or the mishandling of personal information have always been significant for individuals. Now, the stakes have been raised for the collectors and processors of that information.

“It’s important for any business to comply with the law,” Shapiro says, “It may not have been taken as seriously in prior versions of data privacy law, but this law is crafted to have a much more modern interpretation of data privacy rights and have much more tangible consequences—consequences that people are really paying attention to.”

While the maximum fines grab headlines, there are business disruption consequences that should also hold the attention of organizational leaders. According to Hickman, for example, the GDPR gives each EU data protection authority the power to require member firms to stop what they are doing with personal data, if the authority suspects that those data are being processed outside of the rules.

“The authority can say ‘we think the way you are using candidate data is illegal, and you are to stop it now, and you cannot start again until we are satisfied that you are now in compliance with the GDPR.’” Hickman explains, “You can see how that has the potential to seriously adversely affect business operations.”

For Ackermann, “The risk around compliance has several elements. First, there’s nothing like a 4% of global revenue fine to get your Board’s attention. The second element is our clients’ interpretation. It doesn’t matter, in some ways, our perspective on letter of the law compliance with GDPR… At the end of the day, the client is making a value judgment of how much we value the privacy of their employees and personnel, and they’re using now, far in advance of the law being on the books, a much stronger determinant of whether they want to do business with us.”

Is full compliance even possible? Hickman thinks not. “I would suggest it’s next to impossible to achieve 100% compliance with this legislation, because even if you have the policies, procedures and practices in place, you never know for certain that all of your employees are doing everything they are supposed to do. Even the most compliant organization can suffer a data breach, can still unlawfully process data, can still find out that an employee somewhere was negligent and transferred data out of the EU and they have to go and report this to a regulator.”

Regardless of the difficulty of full compliance, many organizations are taking the regulation quite seriously. But are they taking it seriously enough?

According to Karen Greenbaum, “Our members around the world want to be sure they understand how GDPR impacts them – their internal processes, the way they manage candidate data, and the way they interact with people in Europe – whether candidates, referees, sources and, of course, clients. GDPR was not created specifically for our profession – not at all. But we at AESC see it as our responsibility to interpret these rules and how they apply to our profession and then educate our members. We want to be sure AESC Members – the highest quality firms in the world – are prepared for GDPR and remain committed to data privacy and data security.”

The best-case scenario

The long-term impact of GDPR may well be significantly improved systems that benefit both individuals and organizations.

Grundy put the responsibility for compliance into perspective. “This is not something that you can say this is a systems problem, and our systems provider will solve it. This is about leadership, it’s about culture, it’s about training and it’s about embedding data protection and directly linking it to the values of your organization.”

Recalling the principles behind the legislation, Grundy adds “we do live in a world where the data protection and the data rights of the individual is an increasingly important and visible issue. This is something that can be used to build a stronger and more professional business and build a better relationship with candidates.”

Shapiro has heard the arguments that people forfeit their privacy rights through engagement on social media, but argues “it’s one thing if you put your information out there on social media, but that that doesn’t give everybody in the world the right to collect that data. A lot of Americans are starting to get it with the recent Equifax hack. I don’t remember giving Equifax consent to create a file on me. It would have been great to know that they had a file on me, and that I had certain rights.”

GDPR establishes transparency as a right of the individual. Herman says “Now, individuals will know what data we have, what categories of data we might have and what we might do with it, and who to contact if they don’t want us to have the data and how to get us to stop processing. There’s quite a lot of value in the underpinnings of the rule.”

Individuals having rights doesn’t necessarily mean that they will exercise those rights. However, Brewer observes that “the countries that have the strictest data protection legislation, they tend to be the places where you see the most active candidates in terms of their data protection.” He explains “these are the countries such as Germany where people are aware of their rights and don’t hesitate to ask the questions ‘what are you doing with my data, how are you protecting it, where is it going and how is it going to be accessed?’ I do think as the regulation becomes law and becomes accepted, more people will start asking those questions.”

“If we do it right,” Ackermann says, “it gives us an opportunity to engage in a different conversation with our clients that starts with having earned the trust they place in us around treating their employee data and our candidate data with the respect that the law requires of us. That could differentiate us. If the client doesn’t trust us to handle their data properly, we have nothing to fall back on – we deal almost 100% in data. We believe that a robust program can be good.”

It’s just the beginning

“This is not a totally written story – this is act 2 of a 3 act play,” Ackermann says. “It’s not in place yet, and won’t be for several months. We have our first clients saying they will decide whether to do business with us based on our compliance level. So our clients are getting ahead of it.”

Are clients and firms aligned? Ackermann adds “Clients are interpreting it in their own way—it’s a fairly complex piece of legislation—well in advance of the law actually being on the books. It is going to continue to evolve dramatically as we get our first case law in place and our first enforcement activities by the various data processing authorities.”

AESC member firms and their clients will need to work collaboratively to deal with the complex issues related to data privacy and data security. Open discussion and clarity about roles will be essential.

So many questions do not have answers from the lawmakers themselves. Hickman sees the law and compliance as ongoing processes. “More or less every case that ends up before the court of justice can shift the landscape in terms of some fundamental issue or other, and in relation to codes of conduct under the GDPR there are still fundamental questions, and we are waiting for the regulators to provide clarity.” In the meantime, AESC member firms should use the resources available to interpret the law and work toward compliance.

Different industries and organizations are at different stages of preparedness. “Not everybody has the benefit of AESC and solution providers promoting education,” Shapiro says. “It’s evolving. Even if the law goes into effect and seems relatively stable in terms of what it does and how people interpret it, it may be different in the courts in six months, or a year, or several years. Constant vigilance is required to really get it right.”

Brewer, too, is confident that the law around data protection will continue to evolve. “I don’t think it’s ever going to come to a rest – data protection is iterative, and as the technology changes the regulators try to keep up, and everyone gets swept up in that, including our industry.” He acknowledges “yes, there’s a deadline, and it’s a very big change, but there will be further regulation, there will be more opinions and there’s a body that will continue to give guidance and clarify as time goes on.” He adds, “in my view, the goalposts are always moving, and we’re always trying to stay at least one step ahead of the regulations.”

Download Issue Eleven