The core of the legislation is the assertion that an individual’s right to privacy and control over his/her own data is a fundamental human right. Despite being EU legislation, it applies to companies outside Europe when they process data of EU citizens. The GDPR touches everything from assignment work, marketing, database management, personnel records to IT security.
Reading the 88 pages of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 does not make particularly comfortable reading for executive search firms.
Some of the articles of the legislation create concern about how everyday business activities will be impacted.
Articles such as;
· (32) which deals with the requirement to gain clear consent from individuals held on a database.
· (39) the requirement to provide a clear explanation of how the data will be used, how long it will be kept.
· (39) the need to establish policies for how long it is necessary to hold data, ensuring that personal data that is held is accurate and demonstrating that the policies are implemented in the business
· (39) providing an appropriate level of IT security
· (78) being able to provide evidence of policies and internal measures that have been taken to comply with the legislation
· (85 & 86) Requirements to monitor and notify data breaches within specified timescales to the regulators and individuals whose data has been breached.
Nothing in the legislation is difficult to comprehend. The problem lies with how to implement the requirements. Phrases such as “not kept longer than necessary”, “provide adequate security”, “undertake periodic review” are not exactly helpful in their specificity.
Added to this there is a whole new raft of requirements around an individual’s right to request to see their date, have errors corrected, have data deleted, transferred to a third party (data portability) and the new right to be forgotten.
The security of data comes strongly to the fore in both from a technical and processes aspect.
Stringent new requirements around the monitoring and reporting of breaches with specified timelines both to the Regulatory authorities and the individuals whose data has been breached will be necessary. Above all it requires the ability to be able to demonstrate your data privacy approach through record keeping, training and documentation.
