The Final Countdown: GDPR For Recruitment
This week, the world has woken up to its GDPR obligations. By 17:00 on Friday, May 28th, the General Data Protection Regulation (GDPR) will become law. Are you ready?
A lot has already been written about GDPR, and what it means for your business. At eBoss, we have done our bit, with free GDPR resources to keep our subscribers and recruiters in the loop. Rather than go over the law again, we want to look at some real-world processes. So here are some areas of business that could bring your recruitment agency into contact with new regulations.
Your Recruitment Database
This is probably the obvious place to start. It is also the area causing the most confusion for recruiters. Let’s answer the big question first:
“Do I really need to ask my entire database of candidates for permission to store their data?”
The answer is: probably not. As more recruiters are realising, consent is just one of the six routes to compliance available to them. In reality, you probably do not need explicit consent from a candidate to store their data. This is because you store their data to find them jobs. Finding a job is a legitimate interest for every candidate.
Of course, you don’t simply get to say you have a legitimate interest – you actually have to prove it. This is done through self-assessments and report writing. The paperwork is one of the reasons why so many people overlooked the “legitimate interest option” in the first place. Whether you choose consent or legitimate interest for your database comes down to one factor. Would it be more onerous to lose access to potentially 90% of your database (consent), or to write some compliance reports (legitimate interest)?
Our solution for great recruitment database compliance is to use this free Legitimate Interest Assessment pack. Download it, and follow the workflow diagrams to produce a step by step report on your own processes. The end result is a document that you can keep on record, to prove your database compliance. It is self-assessment made easy!
No one-size-fits-all solutions
But you should also remember that every process needs its own lawful basis. You can store personal data in order to find a candidate a job. But if you then choose to use that data to send them an advert, you need a separate legal basis (see Marketing, below). And, if you first want to export that stored data to a mailing client, that will also require its own basis.
You’re probably starting to see why GDPR for recruitment is not a straightforward task!
How will you manage your business relationships after May 25th? GDPR creates a whole host of new considerations. One of the most important is the fact that some level of liability is now shared across an entire data chain. If one of your processors breaches the regulation, you may be held somewhat accountable – because it was your responsibility to appoint only compliant processors.
Of all the real-world repercussions of the GDPR, this is perhaps the most sensitive. It pays to be cautious, and to undertake some thorough groundwork. Because you don’t just need to be compliant; you have to be able to prove it to everyone else, too.
Keeping your clients: points to consider
• Define each relationship:who is a controller, a processor, or a joint controller? Understand the interactions and differing sets of responsibilities between all three.
• Use agreements to clarify each business relationship. Define the limits of control each party has over any shared data.
• Your clients may feel exposed to compliance risk from their existing business relationships. Reduce their anxieties by demonstrating your own compliance. File reports, select only compliant service providers, and adopt a position of “full disclosure” on data security matters.
• GDPR is a “bump in the road”, so to speak. It may seem like a lot of extra work in the beginning, but once it’s done, it just becomes another part of your daily operations and routines.
Marketing is one aspect of your business that is likely to generate extra workloads and late nights. Why? Because it is the area of your business that is the most likely to attract complaints for non-compliance.
This is simply because bad marketing is a nuisance. Once customers realise they might be able to use GDPR as a stick to beat annoying marketers, you can bet that many will try! How does this affect recruiters? It means that their direct marketing activities now come with a higher risk associated – even thought the process itself is often of limited or secondary importance.
Because of that, a lot of agencies are playing it safe: they are seeking consents for their advertising. Getting contacts to opt back in to advertising might not really be necessary if your existing marketing sequences already comply with the Privacy and Electronic Communications Regulation (PECR). Despite this, many recruiters are deciding that it is not worth running the risk to find out. So how can you retain your leads, and play it safe with GDPR rules? Follow our five steps.
Five steps to GDPR compliant marketing
1) There is a secret to smarter compliance. It is this: use consent forms that are as easy to reply to as they are to ignore. That is the philosophy we used when we started to develop the Compliance Tool. You can collect consents, and still retain the better half of your database in the process.
2) Sometimes, marketing can be a legitimate interest. For instance: you may have downloaded a free GDPR handbook from eBoss. In the future, we might contact you to tell you about another free GDPR handbook that we have published. This would be an acceptable legitimate interest as we would have balanced your user expectations and past uses of our service in the decision-making process. But could we write to you and tell you about a paid GDPR product, or a brochure about bathtubs?* No we could not – unless we had sought your prior consent.
3)Balance your decisions. Complete a Legitimate Interest Assessment for any marketing processes that are not conducted under consent.
4) Use this to your advantage. A compartmentalised approach to marketing may actually help you to improve your funneling of leads. It forces you to implement more targeted, more appealing content.
5) Remember that you are not allowed to bundle consents. You cannot force someone to accept adverts in exchange for an offer, or a service, for example.
And what about your other processes? Your back-end tasks power your business, but neither your clients nor your customers could care less about them. Because of this, general admin tasks will (generally) not require consent, as there is a legitimate interest to carry out these duties in order for your business to function.
So, while you are unlikely to receive direct complaints about non-compliance in these behind-the-scenes areas of your enterprise, there is still some work to be done. When getting your processes into compliance, always keep in mind two of the fundamental factors of the GDPR: minimisation of processing, and privacy by design.
Processing Checklist for GDPR Day Zero
• Ensure all data is stored within the EU.
• Use encryption on stored data.
• Pseudonymise data when appropriate and possible.
• Back up all data, so that is is easily recovered to prevent permanent loss.
• Limit the transfer of data to destinations covered by GDPR, or regulation that is recognised as equivalent to GDPR.
• Update your terms of service and privacy and cookies policy to acknowledge new rights and obligations under GDPR.
• Inform customers, users, and data subjects of their new rights and obligations under GDPR.
• Put in place service agreements which define the limitations of processing and sharing of personal data.
• Choose only processors and subprocessors who are able to demonstrate GDPR compliance prior to May 25th.
• Implement staff training to ensure every member of your team is aware of their responsibilities.
• Undertake risk assessments of assets and threats that relate to personal data within your organisation.
Why GDPR means smarter recruiting
The changes you make here could actually help you to streamline your business. Don’t process data for the sake of it. Document your reasons for every stage of your data processing tasks. Reduce or remove those processes which are habits, but which are no longer essential.
Similarly, choose tools that have been built from the ground up, with privacy in mind. Automated CRM, talent trackers and integrated communications tools can provide excellent, effective solutions. Recruitment software which allows you to report on any aspect of your business does so because it generates and captures use-data. You can use this data to help secure your own business. Want to know more? eBoss can help you out.
* This was just an example. Please do not ask us for it, as it does not exist.