The GDPR is a complex set of regulations. It’s easily misunderstood. That’s why vendors such as ourselves have spent a fortune on legal advice and internal training. I’d like to think that our competitors have done similar.
Which is why I’m surprised to hear some of the commentary from one competitor.
Very simplistically, under the GDPR, CRM suppliers – like Dillistone Systems – are typically Data Processors. Generally speaking, search firms are Data Controllers (they may also be Data Processors, but that’s another story).
Data Controllers are responsible for selecting and implementing a legal basis for storing data on European citizens under the GDPR. The relationship is always between the Search firm and the individual.
It’s not between the Processor (the CRM supplier) and the individual.
If you use FileFinder Anywhere to manage GDPR compliancy – with or without GatedTalent – the results of your compliance campaign are stored within your FileFinder database. If you choose to use GatedTalent then we will also keep an independent track of it to provide evidence of what you’ve done, but the entire compliancy history is still stored in your own database. As a result, in the unlikely event that you should ever choose to switch systems, you’d have access to all of your compliancy data and it could all be ported to a new platform in exactly the same way as any other information in your database. This is true from both a practical and a legal perspective.
Remember, the fundamental tenet of the GDPR is to put control back in the hands of the Data Subject. If you use GatedTalent, you are allowing executives to provide you with additional information and to update that information on an ongoing basis. You are making it easy for them to take that control. But all of the legal information, all of the data that they provide, everything is replicated in your local database.
We’ve engaged multiple different lawyers from multiple different firms and multiple countries to review our Compliance process. We’ve also met with lawyers acting on behalf of some of the largest firms in the world. Our internal DPO function includes a Director with both the GDPR-P and GDPR-F qualifications.
Client take up of our GDPR solutions have been far beyond our expectations – we announced to the stock market just last week that we would be sending “significantly more” than 2,000,000 compliancy notes through the platform – and so we can say with a degree of comfort that our clients are comfortable with our model - even if certain of our competitors are not.
Again, compliance is about the relationship between the Data Controller and the Individual. It’s as basic as it gets. GDPR 101. Still, misunderstandings happen… Don’t they?
The relationship is always between the Search firm and the individual. It’s not between the Processor (the CRM supplier) and the individual.