An explanation of Society's approach to GDPR

A few weeks ago we launched our new firm-wide Data Protection Policy. This was a really important event for us as a business, so we did it with quite a bit of internal fanfare. In order to underline the significance and positivity of the changes we're making, we even provided everyone with fun 'data protection tattoos' like the examples shown to on the right, so that they could display their personal commitment and enthusiasm for the new regime! 

As Friday's implementation deadline draws nearer, there can't be many people left (in Europe at least) who haven't heard some mention of the acronym 'GDPR'. Most of us currently have email accounts clogged up with messages from every business, charity and community group we've interacted with since the dawn of the internet, asking for permission to retain our data, or inviting us to update our contact preferences.

As disruptive and time-consuming as the preparations for GDPR have been, we are clear that it is an opportunity rather than an imposition. It’s provided a spur for us to raise our game, to spring clean our data, and to tighten up our processes. It’s also an opportunity for a mindset shift, as a firm and as an industry. Data protection used to be viewed as a set of dry rules and requirements. But our view is that it’s actually about people; respecting them, protecting them, and giving them greater control. Privacy can no longer be an afterthought. We seek to build it in to every one of our systems, processes, behaviours, and actions, from the outset, with the guiding attitude of ‘privacy by design and by default’.

So what does that all mean on a practical basis? Well, over the past months we have attended numerous seminars and training sessions and undertaken a complete review of our operations with privacy in mind. Our aim is to exceed best practice, not just in Europe but internationally. Our new Data Protection Policy is 50 pages long and maps out every element of our operations; from flow charts tracking the movement of data around the company, through to step-by-step breakdowns of what we do in the event of a data breach or a Subject Access Request. Amongst the practical ramifications of the new Policy are that:

• we have published an updated and significantly expanded Data Protection and Privacy Statement on our website (and clearly linked to from all our emails);
• we have deleted a lot of old data (both hard copy and electronic) that we no longer needed to hold;
• we have agreed a clear bi-annual schedule for tidying up and deleting certain data;
• we have put in place tougher physical- and cyber- security standards;
• we have finished shifting all our systems such as email, HR, and Finance onto more secure platforms;
• we have begun encrypting or password protecting all client documents. 

A key consideration, and one that’s attracted a lot of commentary, was deciding upon our ‘lawful basis’ for processing as defined under Article 6. After detailed consideration, we have determined that Society’s lawful basis for its core data processing (data on the company’s contacts that we reach out to whilst headhunting) is ‘Legitimate Interests’. We’ve done a full Legitimate Interests Assessment, so that we can explain the rationale behind that determination and satisfactorily demonstrate, either to an individual or to a Supervisory Authority, that we have fully considered the necessity and purpose of our processing activities, and that we have given appropriate and serious consideration to the privacy rights of the individuals we interact with. In summary, our rationale is:

• that the data subjects will have a reasonable expectation that we will process their data in the way, and for the purpose, that we do;
• that we believe our interests and those of the data subjects are broadly aligned;
• that the impact of our data processing is highly unlikely to be of any detriment to the data subjects;
• that appropriate safeguards and compensating controls have been put in place;
• that we make it clear at every stage the rights that the data subjects have.

The only major exception to this regards 'special category data', which is a type of data that could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination. This includes information about an individual's race, ethnic origin, politics, religion, trade union membership, sex life etc… We are occasionally asked to collect some of this data for clients, typically for diversity monitoring and equality of opportunity purposes. We will continue to do this, but will now simply provide aggregated data (eg. on the entire field of candidates) rather than information about specific individuals. There are only two circumstances under which we will store and process special category data about a specific individual. These are:

• if there’s a genuine occupational requirement that appointable candidates for the role under consideration must possess one of these specific attributes (eg. a Christian charity may reasonably determine that their Chief Executive should be a practicing Christian); or
• if there’s a commitment by the client that people from certain under-represented groups will be guaranteed an interview as long as they meet the essential criteria in the Person Specification (eg. they are a ‘Disability Confident’ employer).

Under either of those scenarios, we may still collect and process special category data, but our lawful basis for doing so will be explicit Consent and this will be sought unambiguously and in writing before we proceed with recording or sharing any such information. At this point we will also remind the data subjects again of their rights.

*      *      *      *

That's the approach we're taking. And we've already identified other ways in which we think we can continue to improve in this area by going above and beyond our legal obligations.

Privacy and data protection should also be a dialogue though - between data controllers and data subjects. So if you have views about this issue, and would like to get in touch, please email us on DataProtection@society-search.com.