When the GDPR surfaced in May 2018, it set alarm bells ringing throughout the executive search industry. Nearly two years later, was the panic justified, and what should search firms do to stay compliant?
The arrival of the General Data Protection Regulation was one of the biggest regulatory changes to affect the recruitment industry in recent memory. In the build-up to the great deadline, executive search firms of all sizes prepared in 1,001 different ways to meet a seemingly vague and ill-defined set of requirements.
Some companies invested thousands in specialist consultancy support, delivered detailed company-wide training and produced reams of new contract and legal verbiage to defend them from the threat of investigation and fines. Others were less meticulous, with responses ranging anywhere from updating website usage and privacy policies to cautiously trimming email marketing lists (or, in extreme cases, doing nothing at all).
And, whilst search firms struggled to get themselves prepared, another market sector which showed mixed reactions to the new regulation was the software sector. A few software providers made half-hearted attempts to add better opt-in management to candidate communications, while others developed robust solutions to shield customers from inadvertent breaches.
Now, as we approach the two-year anniversary of this landmark moment in information protection, what’s the story so far?
GDPR: Was it all a fuss over nothing?
A common feeling across the recruitment industry (if seldom openly confessed) was that GDPR would all ‘blow over’. The ICO would never bother to investigate internal processes or punish companies for lack of compliance, and that the whole concept was paying lip-service to consumer demands for greater control and visibility into usage of their data.
In fact, the ICO has backed up their promise to enforce the regulation, and even offers a searchable archive of enforcements and penalties. Though British Airways dominated the headlines for their record-breaking £183m fine in 2019, plenty of small and mid-size businesses have been impacted and ICO is clearly not afraid to show its claws when companies violate the regulatory framework. This does show the true picture and the ICO, like most supervisory authorities are working through a substantial backlog of cases to review. It does appear that the ICO is taking, for the most part, a pragmatic view and where organisations or individuals can show that they have taken appropriate measures to safeguard the data they are responsible for that these actions are being properly considered during an investigation.
What happens now for executive search firms?
It was reported last year that two out of five recruiters risk GDPR non-compliance, principally down to the fact that up to 42% of recruitment firms still store sensitive data outside of compliant systems (e.g. notepads, decentralised digital documents, saving data to personal devices, etc).
More importantly, compliance with the GDPR is an ongoing process, not the ‘one and done’ fix that many businesses believed when it first emerged.
After initial preparation for compliance (such as defining grounds for the elusive ‘legitimate interest’), companies need to maintain and update their data and data processing in line with a moving window of compliance.
How can executive search firms stay compliant with GDPR?
As well as continuing to deliver training and maintaining up-to-date Information safeguards within the business, search firms must legally renew their lawful basis from candidates and clients to retain and process their information in line with their retention policies. Equally importantly, provision of this renewal must be recorded and logged effectively for reference.
With executive search businesses vitally dependent on the ability to store personal data and use direct contact information, the challenge has shifted from initial GDPR preparation to continued compliance and adequate operating practices on an ongoing basis.
Specialized executive search software such as FileFinder delivers in-built GDPR management tools to help executive recruiters keep on top of the issue through technology, ensuring companies can continue to move at full pace without falling foul of their commitments and risking litigation.
By shifting compliance from a separate issue to be tackled independently from core recruitment operations and making it an embedded part of a company’s daily workflow, digital solutions can help executive search firms to avoid data breaches and therefore fines from relevant supervisory authorities, while keeping their lawful basis to retain client and candidate information up-to-date, tracked and secure.