Introduction – GDPR
You would think the start of 2018 has seen the legal recruitment industry wake up and pay significant attention to the General Data Protection Regulation, or GDPR. Well sort of. Route1 met with a number of leading legal recruitment firms over the past few months and there are three responses to what could be an existential threat to how legal recruitment is undertaken from May 2018:
- the first is “we acknowledge it’s a major compliance issue and are looking at a solution”;
- the second is “we are receiving conflicting legal advice and until we see someone getting fined or censured in the legal recruitment industry we are maintaining a watching brief”; and
- the third is “what’s GDPR?”
At Route1, we built a GDPR compliant solution back in 2016 that was, from the very beginning, “compliant by design” because our business model puts the interests of the candidates – the data subjects – first. Their data, their future, their control.
In the next few weeks, recruiters will be deluging candidates with requests for consent to hold data on them. Candidates will never have heard of many of them, are unlikely in this scenario to consent, as recruiters are forced to purge their non-compliant databases full of historic and incorrect data and try to start rebuilding them in a compliant manner. And in addition to rebuilding their databases, recruiters are facing significant challenges under the GDPR at each stage of the hiring process.
The Challenges Facing Traditional Recruiters
Traditional agency and search recruiters in the post GDPR world face a number of significant challenges to their business model, both in their sourcing and management of candidates and their data, and initiation and execution of candidate/employer interactions:
1. Candidate sourcing
From May, when a recruiter sources a candidate, it must ensure a candidate’s personal data was obtained in a context where that candidate has provided reasonable evidence of expecting to be contacted. This “legitimate interest” test requires a recruiter to establish and be able to demonstrate sufficient interest on the part of a candidate in order to support his or her solicitation. Having a profile on LinkedIn is not, as some recruiters would like to believe, enough to establish “legitimate interest” for an unsolicited hiring approach. It might be enough if the candidate has elected to designate that he or she is looking for a role on LinkedIn, but how many lawyers use this method of opening themselves up to cold calls?
|When registering for Route1, our candidates demonstrate their desire to source matches with all relevant jobs in their sector that we post on the platform. Sourcing for Route 1 is inherently compliant as the candidate always takes the active step of signing up to the platform and setting his or her filters.|
2. Storing candidate data
If candidate data has been obtained legitimately, under the GDPR recruiters must now have a proper system to record consents for the basis of processing it and ensuring use of it is consistent with such consent. They must also follow GDPR rules on data minimization, right to erasure, and monitoring consent.
|At Route1, consent to store data is given directly by the candidate, and we do not add anything to a Route1 candidate profile. Route1 candidates are always in control of their data, including the ability to amend or erase it; and candidates are only asked for additional information at point of application for a job.|
3. Contacting candidates for opt-in
Prior to the implementation of the GDPR in May, recruiters will have to contact every candidate on their existing databases to ensure opt-in consent is taken and avoid unsolicited or illegal communication with them. In marketing parlance this will need to be a “double opt-in”. To quote the marketing manual: “as long as you provide value, your list will not mind reaffirming their consent with you”. The spring of 2018 may well be a bonanza for prize draws with hampers or vouchers in order to try and obtain their re-affirmation and consent. And they should expect multiple offers too – because multiple recruiters cover the same candidates. If they’re cynical they should shop around, and if they’re inquisitive from May they will be able to request a subject access request to data held on them by a recruiter for free. And if they’re smart they will have already signed up to Route1…
|Route1 does not need to contact candidates for opt in because our terms and business model place “evergreen” data control with candidates. A Route1 candidate will only ever be contacted about an opportunity for which they have actively put themselves forward. They will, in effect, never have to take another cold call. And for the data regulator, explicit consent by a candidate – i.e. clear affirmative action by a data subject – will always outweigh tenuous legitimate interest arguments by an intermediary.|
4. Keeping a candidate’s data relevant
After May, recruiters will need to ensure the data that they keep on a candidate continues to be relevant, and are kept only for the minimal amount of time required for processing. In short, this means that they need to actively keep a CV up to date and remove information that is old. How long this can be kept is unclear, with some advisers suggesting six months, some a year. What is likely though, is that recruiters will use this requirement as good reason to contact their candidate pool every six months, to “check in”, ask candidates to validate their data and to provide refreshed consent. Effectively they will also be seeking to refresh “legitimate interest”. But moving to an actively managed database will be a significant challenge to recruiters, who up until now have had no incentive to manage and remove reams of old and inaccurate data in passive databases. This challenge has been so great for many recruiters that they have simply dumped all their data rather than have to make value judgments and seek consent to retain and update candidate data.
|With Route1, candidates fill out their own sign up screen and keep their data updated and current: It is their data and they control it. At every stage.|
5. Monitoring consents and opt-outs
To comply with the GDPR, every time a recruiter contacts a candidate, it must give the candidate the option to unsubscribe or opt out from future communication, and be able to track and enforce that opt-out. Candidate opt-outs must be enforced across all internal communications, and recruiters will need to ensure that after opting out candidates are not contacted again (unless they are able to justify a legitimate interest for a specific additional communication). This can be hard when teams of recruiters are often encouraged to work against each other to place candidates.
|At Route1 we do not use pressure environments to generate “sales”. With Route1, candidates have default opt-out functionality because the Route1 candidate always elects to apply for roles – he or she is always in control. For this reason, we don’t need to buy an expensive CRM system to ensure our candidate management and communication automatically tracks opt-outs. We built it into our business model two years ago.|
…and the Challenges Facing Employers
The GDPR now presents a compliance risk to employers from a sometimes frankly wilfully non-compliant recruitment industry. At Route1, we want to reinforce talent supply chain legitimacy for our clients. Because Route1 was built to comply with GDPR from inception, we will never expose our clients to GDPR compliance risk.
It will take recruiters a long time to rebuild their non-compliant databases, wean themselves off a lifetime habit and learn to abide by an entirely different workflow process. Time that is valuable when an employer has to fill roles, often at short notice. What is clear from our discussions with our employer clients is that as their margins are squeezed by their clients, and management’s scrutiny of costs becomes ever more acute, they are desperate for a faster, cheaper, more efficient recruitment solution that delivers talent to them. For them, Route1 is that solution, and at a pricing point that is 40% cheaper than traditional recruiters. The fact that we provide access to thousands of GDPR compliant candidates – and upon application all the things that add friction and time to the recruitment process such as CVs, references and academic transcripts – means GDPR significantly reinforces our value proposition to them. This is why we have added several new clients to the platform in the past few weeks, including Skadden, Sidley Austin and MBM Commercial.
Conclusion: GDPR = Candidate Power
Information is power, and the GDPR ensures that transparency means candidates can now wield that power to effect positive change in legal recruitment methods. At Route1, we have built the largest database of GDPR compliant candidates in the UK legal sector. Help us effect change for the good in legal recruiting after May by writing to those recruiters who have cold called you, or put you forward for jobs without your consent and ask them to disclose what data they hold on you, who they approached on your behalf, and insist that they respond within the 30 day response period mandated by the GDPR Then if you haven’t done so already, join up to Route1 to receive targeted and direct jobs from top employers, rather than wait for the recruiters to catch up with their data compliance and determine if they can contact you.
It will take a long time for traditional recruiters to rebuild the non-compliant databases they have filled with historic and irrelevant information in order to wean them off a lifetime habit and learn to abide by entirely different workflow practices. This is valuable time where you may miss out on the job opportunity you’ve been waiting for. And do you really need recruiters when you have targeted relevant roles sent directly to your phone from 200+ legal employers in the UK?
James Cole, Founder