Companywide commitment to privacy and security

General Data Protection Regulation (GDPR) Guide

The European Union’s (EU) General Data Protection Regulation (GDPR) went into effect on May 25th, 2018. The GDPR is a significant change for global data privacy law and contains complex rules for organizations dealing with personal data from EU residents.

Korn Ferry respects your privacy and we value the trust that you place in us. We have put together this guide to help you understand the basics of the GDPR and, together with Korn Ferry’s GDPR and Data Protection Measures statement, to provide you with a transparent view of what Korn Ferry is doing to protect your data.

Note: This overview is provided “as-is” and may change without notice. It is intended for informational purposes only and should not be relied upon as legal advice.

What is the GDPR?

The GDPR is a comprehensive data protection regulation in the EU. It updates, strengthens, unifies, and clarifies the prior EU data protection law. It gives EU residents greater rights with regard to their personal data and requires the implementation of enhanced policies and procedures by organizations that process personal data.

To whom does the GDPR apply?

The GDPR applies to any organization that “processes” personal data about an EU resident. Any operation performed on personal data, such as collection, use, storage, disclosure, or disposal, is considered “processing” under the GDPR. The definition of “personal data” under the GDPR is very broad, covering any information relating to an identified or identifiable person (referred to as a “data subject”) residing in the EU.

What does the GDPR require?

The GDPR establishes a variety of new requirements for the processing of data subjects’ personal data. These responsibilities vary depending on whether an organization is operating as a “controller” or “processor.” Under the GDPR, a “controller” determines how and why personal data will be processed. A “processor” carries out processing activities on behalf of the controller. Depending upon the engagement at hand, Korn Ferry may act as either a processor or a controller. For example, we act as a controller when individuals engage Korn Ferry directly and provide us with their personal data. We may act as a processor where organizations engage Korn Ferry to provide services to their employees or otherwise on their behalf. Below are some of the most important ways that the GDPR updated EU data privacy law:

  • Data protection by design. When creating systems or products for processing personal data, organizations must consider the privacy implications to data subjects and integrate the necessary safeguards to protect the rights of data subjects.
  • Enhanced policies and procedures. Both controllers and processors are obligated to keep records of processing activities and have policies and procedures to ensure adequate protection of personal data.
  • Third-party management. Controllers may only use processors that ensure the adequate protection of personal data and compliance with the requirements of the GDPR. These obligations must be supported by appropriate contracts between controllers and processors.
  • Data breach notification. Controllers must notify the competent supervisory authority within 72 hours of discovering a data breach if the breach presents a risk to the rights and freedoms of affected data subjects. If the breach presents a high risk, the controller must also notify the affected data subjects without undue delay. Processors are obligated to notify the controller without undue delay after becoming aware of a personal data breach.
  • Transparency. Controllers are required to provide clear and transparent notice to data subjects regarding the data collected, the processing and use of the data, as well as data retention and deletion policies.

What rights do data subjects have under the GDPR?

Under the GDPR, data subjects, with some exceptions, have the right to:

  • Access their personal data
  • Correct errors in their personal data
  • Request the erasure of their personal data
  • Object to the processing of their personal data
  • Receive an export of their personal data


Controllers must have procedures in place to deal with data subject requests and respond to such requests within one month of receipt, subject to applicable extensions.

Note: This overview is provided “as-is” and may change without notice. It is intended for informational purposes only and should not be relied upon as legal advice.