THE GDPR AND THE RECRUITMENT INDUSTRY – TIME TO COMPLY
Use of data by the recruitment industry has changed significantly over the past ten years. With the explosion of publicly searchable social media, the need to maintain a proprietary database of potential candidates has become less critical to find people to fill roles, at least on the agency side of the business. LinkedIn has become the go-to source for many recruitment agents, acting as it does as an outsourced, up to date tool for recruitment agents to search. But what about their legacy databases, that often contain richer, more specific (and often out of date) personal data relating to candidates? Most recruitment agencies still keep them, and search firms generally keep significant amounts of non-public data on their systems about potential candidates often sourced from internal research.
At present, the compliance burden of maintaining this data has been relatively light. From May 2018 however, industry participants will have to ensure that the databases and processes they use to store and process personal data are compliant with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), and reconsider how they intend to use personal data going forward. The GDPR is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). The primary objectives of the GDPR are to give citizens and residents back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The GDPR and how it will affect recruitment agencies
Recruitment agencies who maintain a database of personal data are “data controllers” under the scope of the Regulation. “Personal data” under the GDPR is defined by the European Commission as “is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” So under this broad definition, most recruitment agency databases will become regulated. At Route1 we operate an online marketplace connecting lawyers and legal employers. We represent over 200 legal employers, including six of the top ten leading law firms and we have over 8000 users who have used our platform to date. Because Route1 was designed from scratch in 2016, we do not use legacy systems for storing our candidate data and we have designed our proprietary database tools to be GDPR compliant from the start. Our information is provided by the candidates themselves, and they “control” use of their data to a large degree. We are not expecting the competition to emulate our business model, but we believe an unwitting effect of the GDPR will be to start to move industry behaviour towards more transparency.
Once a recruitment agent controls personal data relating to its candidates, it is automatically subject to regulations regarding:
- Data controller responsibility and accountability
- Candidate consent rights
- Candidate rights to access requests
- Candidate rights to erasure
- Candidate rights to portability
Responsibility and accountability
In order to be able to demonstrate compliance with the GDPR, recruitment agents must implement measures which meet the principles of data protection by design and data protection before May 2018. Privacy by Design and by Default principles (Article 25) require that data protection measures are designed into the development of recruitment processes as they relate to personal data.
One way to implement such measures is to pseudonymise personal data as soon as possible after receipt (Recital 78). The GDPR refers to pseudonymisation as a process that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information. By its nature, candidate information is generally capable of identifying the data subject, so this avenue is not available to most recruitment firms. Route1’s business model involves candidates consenting to their anonymised profile being provided to the platform in order to match with job specifications and so is developed with Privacy by Design in mind. Because a candidate’s personal data is already pseudonymised under Route1’s business model via anonymisation, it is not subject to the many of the controls and penalties of the GDPR as they relate to subject data.
While pseudonymisation will not work for “traditional” recruitment firms, it should still be stressed that adherence to certain principles – i.e. that a recruitment firms’ data system privacy settings must be set at a high level by default, and that technical and procedural measures should be adopted by a recruitment firm in order to make sure that any of its data processing complies with the Regulation, are still relevant for them to be GDPR compliant.
Valid consent by a candidate must be explicit for data to be collected, and the purposes for which data is to be used must be set out clearly (Article 7; defined in Article 4). Recruitment agencies must therefore be able to prove “consent” (opt-in) has been granted by their candidates. Furthermore, candidates must be able to withdraw consent at any time. This is fundamentally challenging for many recruitment agencies, as the candidates on their databases are often unaware of even being on a database. On-boarding candidates will, for example, now require a script and documented consent from a “cold call” to potential candidates. This notice requirement must include an indication of retention time for a candidate’s personal data and the contact information for the recruitment firm’s data controller (and, if required, a data protection officer). Route1’s candidate acquisition process is fully compliant with the GDPR in terms of consent rights, because its business model is premised on data subject control. Using Route1, candidates elect to sign up, provide their own data and actively control when to have their identity revealed to an employer.
For “traditional” recruitment firms, re-signing up their database to full consent will be a challenging prospect, but the GDPR leaves them no option. We believe this option could open a new acceptance of empowering candidates to make their initial matching choices before contacting their “chosen” recruiter. Not the other way around, as the current model dictates. Information was power in this market – now it carries a significant compliance cost.
Candidate access requests
The GDPR also requires prompt responses from recruitment firms when a candidate makes a data subject access request. There is expected to be a wave of data subject access requests once the GDPR and the rights it grants to individuals becomes more widely known following its implementation. Traditionally most initial contact with recruiters has been unsolicited, and therefore the level of subject access requests may be high. Recruitment firms must therefore have procedures in place to promptly respond to these requests. Because Route1 is a platform, we allow our candidates to search and amend their own data at any time. For “traditional” recruitment firms, we believe this open access architecture will become part of their way of doing business going forward.
Candidate rights to erasure
In addition, Article 17 provides that a candidate has the right to request erasure of personal data related to him/her held by a recruitment firm on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case where the legitimate interests of the relevant recruitment firm is overridden by the interests or fundamental rights and freedoms of the candidate. It will be hard to sustain that the legitimate interest of the recruitment agency have been overridden when the candidate has not even given consent to having its personal data held on an unsolicited and uninformed basis by the recruitment firm in the first place. At Route1, we do not face the “erasure” problem because Route1 is a platform that ensures candidates data is completely removed from the system following a request by the candidate . As mentioned above, the only feasible way to ensure compliance for traditional recruiters is to re-solicit candidates to join their GDPR compliant database, and such consent being obtained in a GDPR compliant form.
Candidate rights to portability
Finally, Under Article 20 of the GDPR, a candidate must be able to transfer its personal data from one electronic processing system held by a recruitment firm into another, without being prevented from doing so by the data controller recruitment firm. In addition, the data must be provided by the recruitment firm in a structured and commonly used open structure electronic format. Because Route1 is built using a commonly used open structure electronic format this enables portability to the extent required by the Regulation.
Effect of GDPR breaches
The cost of non-compliance with the GDPR, is significant, with the following sanctions capable of being imposed:
- a warning in writing in cases of first and non-intentional non-compliance
- regular periodic data protection audits
- a fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 4)
- a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 5 & 6).
It is clear from Route1’s research that many in the recruitment industry are not even aware of the GDPR or of the perils it holds for their traditional use of data and the impact it is likely to have on their business model. The industry faces a significant regulatory burden in order to prepare for compliance with the GDPR.
We believe most recruitment agencies will have to completely rebuild their database structure and business processes in the next 12 months or face the risk of significant sanctions. At Route1, we identified this regulatory and compliance challenge for the UK legal recruitment market early in our development, and designed and built the only bespoke GDPR database solution for the recruitment industry that is scalable across recruitment verticals.
For more information:
Max Barry, CTO
Notes for editors/About Route1
Route1 is an online marketplace connecting lawyers and legal employers. In just under a year after launch, we represent 200 legal employers, including six of the top ten leading law firms. Lawyers downloading our app are rapidly growing in number, with over 8000 users downloading the app to date. We have completed a double beta test of the platform over nine months in the UK and over six months in Australia. Route1 was founded in the UK in 2015 and is headquartered in London. Its founders and investors include experienced lawyers, digital entrepreneurs, recruitment consultants and HR professionals. The company’s website is www.route1.co.