It doesn’t take effect until May 2018, but the General Data Protection Regulation, or GDPR, is on the mind of every search firm in the European Union, and it should be on the radar of any globally-active U.S.-based search firm as well. The GDPR is the most significant piece of European data protection legislation to be introduced in 20 years. What do you need to know about GDPR? And how is Thrive ensuring that Thrive TRM is GDPR compliant?
What exactly is the GDPR?
Passed by the EU Parliament in April 2016, the General Data Protection Regulation (GDPR) is an updated data privacy regulation, passed to strengthen data privacy laws across the European Union (EU), bring a greater degree of transparency to data privacy and personal information storage through explicit consent, and empower EU citizens with the ability to access their personal data being held by organizations and opt-out if desired.
Under GDPR, EU residents have extensive new rights when it comes to their personal data, and that starts with the definition of personal data itself. Under GDPR, personal data includes, “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person.”
That information could include detailed information such as bank details, medical information, or a computer IP address. But it also includes information that’s easily accessible, like an individual’s name, photo, email address, or even a status update on a social network.
According to the Information Commissioner’s Office, these rights include:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
Will GDPR Impact Me?
Most likely, yes. One of the primary differences between the GDPR and its data privacy predecessor, “Data Protection Directive 95/46/EC,” regards who is subject to enforcement. Under the GDPR, all companies that process the personal data of individuals who reside in the European Union, regardless of that company’s location, will be subject to the GDPR.
This means that even if your search firm is located in the United States, your organization will be subject to the GDPR if your data records include EU residents.
Do I need to pay attention to this?
Yes. In fact, ignoring the GDPR could have severe financial repercussions for your organization. Under the GDPR, companies in breach can be fined up to 4% of annual global turnover or EUR 20 Million (whichever is greater).
What do I need to do to prepare for the GDPR?
Aside from spreading the word about the GDPR, you should conduct an impact assessment for your search firm. This means understanding what personal data you maintain today, and how you might need to alter your internal processes for handling that respective data. Essentially, you should start answering questions about what records you possess, where they came from, and who you share them with.
In regards to your internal processes, privacy notices, consent policies, and data requests are all going to need to be addressed. Under the GDPR, you will need to explain your lawful basis for processing data in a manner that is easy to understand within your privacy notices.
You’ll also want to make sure that your consent policy, mentioned earlier, is GDPR compliant. Under the GDPR, consent must be “clear and distinguishable” from other written agreements. That means that a search firm cannot tie consent to an offering of a service, such as consideration in an upcoming search, for example. Additionally, consent must be communicated in clear and plain language and must be as easy to withdraw as it is given.
Finally, you should review your procedure for handling requests from individuals to access their personal data, and formulate a plan for responding to requests for rectification and potentially erasure.
What Impact Will Brexit Have on GDPR?
Like most topics concerning Brexit, there is no confirmed resolution concerning GDPR. However, here’s what we know right now. GDPR will take effect in the EU in May 2018, well before any legal separation between the UK and the EU becomes official; that separation is currently scheduled for March 2019.
Even after Brexit, however, GDPR is likely to still apply to organizations in the UK. That’s due to the “Great Repeal Bill,” which will be used to essentially copy and paste any laws from the EU into UK law before Brexit occurs. For UK organizations, then, it’s best to prepare for GDPR for the short- and long-term future.
When does the GDPR take effect?
The GDPR will become fully enforceable on May 25, 2018. That may seem like a long way off, but in actuality, there are less than 150 working days before GDPR becomes enforceable. And even for small boutique executive search firms, there are potentially thousands of records or more that need to be audited in that time.
As part of that audit, search firms will need to decide what data is essential and which records can be discarded. Furthermore, for records that are kept, firms will need to contact the individual attached to that record to make them aware that their data is on file.
How is Thrive preparing for the GDPR impact?
Thrive is actively preparing for the impact of GDPR, with features planned to provide you with a greater degree of control over the data that you store online and ways in which you can manage and track consent.
With these updates, users will be able to review and delete records in a simplified workflow, invite all existing contacts to provide consent with a single click and audit the changes made to your data.
Thrive TRM was designed with privacy in mind. Therefore, our efforts are focused on ensuring that you have the ability to quickly and efficiently manage your data to best prepare you for the impact of GDPR.
If you have any questions regarding Thrive TRM and GDPR compliance, let us know. You can email us at firstname.lastname@example.org.
Please note: The above content is only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained. Thrive is certified under the Privacy Shield Framework as relates to compliant data flows between the EU (and Switzerland) and the US.