At Dillistone Systems, we work with Executive Search firms in more than 70 countries. As a result, we spend a lot of time thinking about data transfer, security and related topics. It's not exciting. But occasionally we come across a titbit worth sharing. Here's one.
We suspect that at least 50% of European search firms will - in the last 12 months - have done something that, if repeated after May 2018, would mean they may have broken the law.
What are we talking about?
Exporting of private data. We all know that people in Search often travel and often take data with them. By data I mean - information on "People" - contact lists, databases, spreadsheets and so on. As part of the GDPR shake up, the rules on doing this are changing. From May 2018, the law will determine the legality of this act based - in part - on how you do it.
It's worth defining the ways you can access your business data overseas. There are basically two options. The first is via a "true cloud" type solution. You open a browser (or installed product under certain circumstances) and view data that is stored on a Cloud Server back in Europe. This is considered data in transit. Under these circumstances, your data has not been transferred outside the EEA and so you are fine to access it anywhere under the new rules.
However, if you have data on your local device - perhaps cached in Outlook or in a spreadsheet on a laptop, or perhaps saved to contacts in your phone - then that data is considered to be at rest - it has left Europe. This means that - in the eyes of the law - you will have transferred it.
If you aren't sure how your data travels, turn off your wifi / mobile data / unplug your network cable. If you can still access your data, it's on your local device. Worry. If you can't, it's in the cloud.
Now, this is the broad rule. There are caveats - for example when transferring to certain non-EEA countries that offer comparable privacy levels to those seen in Europe - but there are not many countries that pass that particular test.
So - if you are in the "local" camp and you take your data into one of the many, many countries that the EU doesn't approve of - you need to think. You need to change your technology, change your travel plans, or give up your passports!
Even if your team members never leave your home country, the difference between data in transit and data at rest is about to become far more important. GDPR rules state that search firms (or anyone else) can only share the private data they control with data processors (CRM suppliers like Dillistone Systems) if they provide technology that offers "privacy by design". True cloud delivery - there the data is stored in a single, cloud location - is far more likely to meet this criteria than a model that sees candidate data spread over multiple databases, stored on local laptops and on mobile devices.
A laptop gets stolen once every 53 seconds. A mobile phone is stolen once every 12 seconds. If a laptop or phone containing unencrypted private data is stolen, you risk huge fines - an insurance company in the UK was recently fined £150,000 for the theft of a single hard disk containing 60,000 records - despite no evidence of loss to the data owners.
With FileFinder Anywhere, we offer privacy by design. Our data is stored in the cloud and is not cached on local devices. While this won't tick every GDPR box - GDPR goes beyond your database and into every part of your business, it will certainly help with some of the riskier areas. If your current technology supplier offers a less secure model, you may wish to speak to a member of our sales team.
We are hosting free webinars on GDPR, Privacy Shield and Data Security this week. To join us, register here:
"Data at rest is data that is not actively moving from device to device or network to network such as data stored on a hard drive, laptop, flash drive, or archived/stored in some other way. "