How technology will be critical and how to plan your response now
What is the GDPR?
The General Data Protection Regulation (GDPR) is a regulation that was adopted by the European Parliament on the 14 May 2016. The GDPR protects anyone living in the EU and therefore influences any organization that is based in the EU or does business in the EU. Many businesses that are not currently subject to EU data protection law will be subject to GDPR.
The EU General Data Protection Regulation, or, GDPR, is meant to safeguard the data privacy rights of EU citizens and will be a key law to understand for any executive search firm that:
- Does work in Europe,
- Has clients that do work in Europe,
- Has sources, prospects or candidates that are EU citizens,
- May one day in the future do one of the above, or
- Works in conjunction with another firm who does.
The potential penalties for non-compliance if discovered are quite stiff (up to €20 million), and the liability for a security breach exposing non-compliance the hard way can be even stiffer (the same penalties, plus liability to the individuals, plus horrible impact to reputation). The laws go into effect in less than two years (May 2018).
But you will have experts to support you
When GDPR comes into effect, it will be the strictest data privacy law anywhere in the world. This calls for the executive search profession to work together to make it workable. The AESC and its advisors are preparing streamlined guidance for search firms to remain in compliance. They have a voice with the authorities to help ensure that the interests of the executive search community are understood. At my firm, Cluen, we are innovating new technologies and tuning new workflows to make it easy for every size search firm to be confident in their compliance with the GDPR.
Technology will be critical
Understanding your obligations and processes is one thing, but having a smooth way to operate is another. The critical technology foundations for GDPR include information security assurances and specialized functions to solve thorny problems and save user administrative tasks.
Information Security: Your firm needs to provide adequate security controls to safeguard personal data of EU citizens, and you need to have the ability to document its adequacy. Having database data floating in Outlook, Word or Excel or in your shared folders is simply not organized, secure and auditable enough to meet the standards for GDPR. You will need not only a data provider that is certified with Privacy Shield and can deliver audit details of how your system is compliant, but also the AESC-specific protocols for information management.
Executive search is different from other information-intensive businesses that might touch personal data.
Specialized functions: Executive search is different from other information-intensive businesses that might touch personal data. There are many little areas where Cluen is innovating to solve the thorny problems. For example, under GDPR EU citizens have the right to request that you delete their name and file from your database (this first step requires a centralized system and a special function, but is fairly simple). But in conducting an executive search, how do you prevent your candidate ID process from reentering their information right back in your database? Would you need to keep their name on a ‘hands-off’ list? But, then wouldn’t you be in conflict with their original request? How ridiculous! Cluen has developed a special technology that can solve the problem of this paradox – you can be compliant in your deletion of a record and every instance of that name, and yet, have a ‘magical’ way to alert you should you ever try to enter the same name again.
So far, in reaction to GDPR, Cluen has eleven specific technology features in development that will either save minutes and hours of GDPR administrative time or solve an otherwise-impossible paradox. With less than two years to go, we want our customers to have plenty of time to get comfortable in their compliance.
Make your plan now, so you don’t panic in 2018
We recommend that you start understanding your options over the coming months and make the most of the resources available to you: review the AESC information that is available, speak with your attorneys, call Cluen to ask what options we would propose (whether you are a current Cluen client or not, this advice is available at no charge to AESC members), and speak with your other advisors and providers.
Once you have all of the options available, you can take a few more months to decide what approach fits best for your firm and still have the better part of a year to fully implement. This will not be a big burden if spread over time like this. It will also be most cost effective if you are able to make a thoughtful plan. If you wait until the end of 2017 to start your exploration, then the condensed time investment may be burdensome, and the ability to find a cost-effective solution reduced. Reacting to an emergency in 2018 will certainly be most costly in time and budget.
Relax and embrace the future
You will have ample support from the advisors that surround you, and with the right processes and technology your firm will be in a leadership position, differentiating yourselves by assuring clients and candidates that you adhere to the highest standards. Leading the industry into the future will not only give you compliance with the regulations but also be a reward in itself.
By Andrew Shapiro, a founding partner at The Cluen Corporation. Cluen is the leading developer of executive recruiting software solutions. Our seventh-generation recruiting software Encore has been refined through more than two decades of research and development fueled by the thousands of search professionals in Cluen’s user community. Discover why AESC Members prefer Cluen over other providers.