GDPR and the UK Recruitment Industry
I’ve had a lot of conversations this year with recruiters in relation to data protection in general, and the way the industry handles candidate information in particular.
As a former recruiter myself and a long-time advocate for data and information privacy, I feel quite strongly about this, so felt moved to write a blog post on the subject.
There is plenty to the ‘carrot vs stick’ issue relating to the GDPR; the media loves a juicy story with which to beat industries and companies about the head, so we have seen headlines about the fines that the new legislation will bring, and how this could spell financial disaster for small businesses.
Non-Compliance Is Not an Option
I consult to micro businesses and SMEs, and I have to agree that non-compliance is definitely not an option.
The REC (Recruitment and Employment Confederation) have recognised that the GDPR will affect all recruitment businesses, and have even gone so far as to issue guidance on their website, albeit this is a bit thin.
They seem to have missed the point about excessive processing. I would say this is an essential criticism most candidates have of the recruitment industry today.
APSCo (the Association of Professional Staffing Companies) offer some slightly more in-depth advice, including the need for transparency, and Recruiter Cover (an industry insurance broker) have also homed in on the changes.
Consent & Data Breaches
These articles, and many other posts and discussions that I have read on the topic, still seem to be focusing on consent and data breaches, and are missing some key points on how the recruitment industry fundamentally operates that will come under scrutiny with GDPR - I’d like to refer to the actual wording of the legislation at this point.
From my perspective, and for this post, the following are glaring errors which has yet to be acknowledged and addressed in relation to the impact GDPR will have on the recruitment industry.
What’s That Saying About Assumption?
Setting aside the online job applicants who swiftly become candidates and proceed through a job selection process for a second, let’s think about the unsuccessful applicants, and how they are currently assumed to give their consent to processes that they are mostly unaware of at the time they submit their application.
The very act of submitting an online application is assumed by the recruiter to be consent – sure, they may not always read the standard disclaimers and responses about their details being “retained on file so they can be contacted about suitable jobs as they arise” but under GDPR the recruiters will now need to be very clear about what they intend to do (or not) with those details.
Most candidates assume that their CV is always going to be looked at first by an experienced recruiter who will determine, without speaking with them, exactly what it is that they are looking for and what will be a match, before carefully tagging their details thus and filing them away.
They may also assume that this will ensure they pop up in searches every time a new job match comes in, before that job is advertised online.
What they don’t really consent to, despite the practice and assumption that they do, is to all of their personal and sometimes sensitive data being filed away in a database with tens of thousands of other people, never to be looked at again. That review and tagging for perfect job matches? Unlikely to happen.
Neither do they really consent to their inboxes being periodically spammed with generic emails sent to hundreds of people (extracted from a Boolean search string of said databases) about irrelevant or unsuitable jobs.
And if they want to get noticed when the next job comes up that they are interested in? Well, they have to do it all again, despite their details already being “on file”. Which means over a period of time they rely on the recruiter actively updating their old information with any new application details that they have supplied over time. Another assumption.
And going back to the unsuccessful candidates, who don’t secure a role following their part in any earlier-mentioned job selection processes? Well, they also end up in this process loop.
Reviewing Recitals 42 and 43, I would suggest that in order to continue on in their current vein recruiters will need to specifically outline this is what they intend to do. Or, change their processes. Either way, they will need specific consent to this use of an applicant’s data.
Provision needs to be made that applicants will want to separate out their consent, from the initial vacancy application processing, to the storage and search-ability of their details for a future time period.
Which brings them right back to Article 5 e) which stipulates the need for time limitations on purposeful data processing.
“But what about the legitimate interests of a recruiter?” I hear you cry. Well, looking at Recital 47 I would argue that, again, without clarity on their intentions a recruiter cannot assume that applicants and candidates will agree to a relationship with the recruiter if the parameters of that unequal relationship haven’t been clearly expressed at the outset.
Any relationship where one person expects hearts and flowers and the other expects something more transactional is unlikely to be a fulfilling one for both parties.
Imagine that, in this analogy, the person expecting a transactional relationship (at best) is the one controlling all aspects of the relationship, and keeping the other person clueless about their real intentions.
Doesn’t really sound like the kind of relationship you’d want to willingly enter without all the facts, right?
Justification for Keeping Details on Record
I’d suggest it will be hard for recruiters to claim a relevant and appropriate relationship with applicants on a “client” basis, to justify them keeping details on a database. Especially when applicants (based on experience) don’t reasonably expect further meaningful processing of their details.
From a recruitment perspective, the “client” who is being provided with a service is usually the one paying the fees, or the hiring manager for internal recruiters, not the candidates.
Transparency & Automated Processing
My final point is in relation to Articles 21 and 22 in relation to the automated processing that occurs in the industry, such as killer questions that are open or hidden in an applicant tracking system.
This is usually processing that can be hidden in the background, but is a large part of recruitment data processing, and will now called into the light by the new legislation Such automated processing will not only need to be justified by recruiters, it will need to be declared to all applicants at the point of initial data capture, in the principle of transparency that the GDPR requires.
Recruiters will need to give careful thought to how they craft their declarations, to avoid losing candidates and applicants dropping out at early stages, and I suspect many will find this requirement for transparency an alien concept and very challenging.
Osborne Clarke hit this spot on the nose in a recent blog article on the topic, which is heartening to see, but my favourite article on this to date is Route1’s article which (though slightly smug) shows that they have clearly thought about how the new legislation will impact the industry.
Route1 have been proactive to address this in their business model; their article also highlights, for any recruiters who take the time to read it to the end, some of the very real issues I have been talking about.
Will the recruitment industry get itself in shape in time for 25th May 2018?
Time will tell, but I fully expect the wave of expected DSARs (Data Subject Access Requests) from dissatisfied applicants and unhappy candidates to break over some unsuspecting recruitment heads in a big, cold, unpleasant wash next year.