The GDPR And Compliance Executive Search

For those unfamiliar with the term, GDPR is the acronym for the General Data Protection Regulation and it comes into force in the UK on May 25th. The purpose of the GDPR is to safeguard the rights of EU citizens with regard to their data privacy. It affects all organisations that are either based in the EU or do business there, regardless of their size. It gives all EU citizens greater control and rights over their data and also provides the power to access, change, or erase any data held.

The new legislation means that consent must be given freely, and must be specific, clear, and prominent. Consent has to be based on an active opt-in and it must be documented and able to be easily withdrawn. Any organisation affected by the legislation has to notify people that they have the right to withdraw their consent, and furthermore, consent cannot be a requirement for providing a service or offering employment.

Under the GDPR organisations must notify all affected individuals and supervisory authorities of any data breach within 72 hours of discovering it, and there are sever penalties for non-compliance. Fines can be as much as EUR 20 million or 4% of global turnover, whichever is greater. The EU Commission will increase the powers of Supervisory Authorities enabling them to investigate through audits, reviews, and notifications, and also enable them to issue warnings, compliance orders, and fines. EU member states will have their own discretion to decide upon any criminal sanctions. Furthermore, when the Act comes into force it will apply to all existing data held, regardless of when it was acquired.

The GDPR has obvious implications for businesses involved in compliance executive search. Personal data must be collected for a specific legitimate purpose and it must be processed in a transparent, fair, and lawful manner. It must be secure, and it must be accurate and kept up to date. It must be limited to only what is necessary and it must be disposed of when it is no longer required. Clear records must be kept and organisations must be able to show evidence of consent if they are required to do so by the appropriate authorities. They must also inform individuals of their right to withdraw consent at any time and their right to be kept informed, and allow access to the personal data held on them. All organisations are advised to check that any existing consents comply with the GDPR and if they do not they will need to obtain fresh consents.

Under the GDPR all individuals will have the right to obtain confirmation that their data is being processed, and allowed access to it along with any additional information.

The information supplied about personal data processing must be easily accessible, intelligible, transparent, and concise, and it must be written in clear English. Furthermore organisations can make no charge to the individual for supplying information.

Organisations must inform individuals of their rights at the time of obtaining their data or within one month if the data is not obtained directly from the individual concerned. In addition, if data is being transferred to a third party or another country the individual has the right to be informed of the safeguards in place relating to that transfer.

GDPR will affect all areas of a business and it needs to be approached in the same manner as health and safety. Responsibility for overseeing GDPR should be assigned to one person in each department that is involved with data processing or it could be assigned to a team depending on the volume of data within the organisation and the sensitivity of the data. Persons involved with GDPR in different departments will need to have regular meetings in order to ensure compliance. Furthermore, if an organisation adopts any new processes or technologies that involve personal data handling, a data protection impact assessment may have to be undertaken.

Larger organisations may need to appoint a Data Protection Officer. Such an individual would need to have expert knowledge of data protection law and practices, and must be independent of other decision makers within the organisation.

Danos Associates is a long-standing global leader in the field of compliance executive search. The company provides retained search services and has a network of existing talent upon which to draw. The contingency search team is continuously identifying, headhunting and meeting new talent.

Danos Associates are global-leading legal professionals in business compliance and risk. They work with firms to ensure legal & regulatory compliance.