GDPR for Employers: An Opportunity
Pretty much every company across Europe is presently preparing for the arrival of the new General Data Protection Regulations on 25th May 2018, and whilst it’s easy to become frustrated with the added layers of policies, procedures and documentation required to comply, GDPR should be seen as a huge opportunity for employers and recruiters to get their respective houses in order.
Anecdotally we hear from many of our clients that they have a recruiter or two on their supplier lists who seem to have a habit of submitting CVs of candidates they’ve never spoken to and yet their actions are at times ignored. Come 25th May this will not only be bad practice it could potentially be unlawful and could land your company in seriously hot water (unless of course you’ve been tasked with disposing of 20million Euros as part of your job).
The purpose of this article is not to give you chapter and verse about GDPR but instead to explain what you as an employer should be looking for from your recruitment suppliers. So, here are the headlines; there are six legal bases for processing personal data, only three are relevant to general recruitment activities and of those most recruitment consultancies will try to rely on the wonderfully vague basis of “Legitimate Interests”.
In simple terms “Legitimate Interests” allows a recruitment company to hold personal data of an individual as it is necessary for them to provide work finding services for that individual. And that is fine as long as the recruitment company doesn’t hang on to the personal data longer than is necessary and doesn’t choose to share it with a third party. However, if you are working for an employer and are receiving CVs from a recruiter you’re going to want some sort of assurances that they actually have the right to share the applicant’s personal data with you.
So, as an employer you really need to be looking for confirmation that any CVs you receive are from candidates who have given their consent for the Recruiter to send them. “Consent” is the best legal basis for processing of personal data as it is then completely clear that the individual knows that the recruiter is working on their behalf, has given their approval to the recruiter’s actions and crucially has a mechanism available to them for withdrawing their consent when they are no longer looking for work.
Now, let me just pause to clarify; “Legitimate Interests” might be a lawful basis for a recruitment consultancy to have sent you a CV but “Consent” definitely is. More succinctly put, using “Legitimate Interests” is doing the bare minimum, “Consent” is best practice.
So, as an employer, why should you care the basis being used by your recruitment suppliers? Here’s just a few reasons why:
If it’s under “Legitimate Interests”:
- How do you know that the Recruiter sending you the CV has gained the personal data in a lawful manner? If they haven’t then you haven’t either.
- How do you know the candidate has seen the recruiter’s privacy statement and policy?
- How do you know the candidate even knows their personal data has been shared with you?
- Do you want to give a place on your PSL to a Recruiter who is only prepared to do the bare minimum to achieve their placement fee?
….on the other hand, if it’s under “Consent”:
- You know that the Recruiter sending you the CV has gained the applicant’s personal data in a lawful manner and,
- The candidate has seen the recruiter’s privacy statement and policy and,
- The candidate knows their personal data has been shared with you and,
- You are working with a Recruiter who strives for best practice and so is willing to earn their placement fee by doing a good job for all parties.
So employers, GDPR is a great opportunity for you to review your PSL and ensure that you are getting the best standard of service. By insisting all your suppliers gain the full GDPR “Consent” required from candidates you will see many improvements in the service you receive from your PSL, including:
- Fewer duplicate applications, where two or more recruiters claim the right to represent a candidate. And on the rare occasions where they have both/all gained the candidate’s consent they will have that moment time and date stamped which they can share with you.
- More committed applicants; at present it is very easy for a candidate to just say yes to every recruiter that calls them, and only whittle down their options once the interview requests start rolling in, this wastes your time. By insisting they consent to working with the recruiter and applying for your role, your CV received to interview attended ratio will increase.
And so yes, seeing as you are bound to ask I can confirm here as I will if you choose to engage with us as a supplier; every candidate you receive from Novate IT and 52 Degrees North will have given their full consent for us to hold and share their personal data with you. In truth we’ve being doing this since both companies started and so are now delighted to see it being enshrined in law and our competitors forced to catch up.
So, employers here’s your challenge; review your PSL now and ask all your suppliers what their plans are for complying with GDPR? Will they be doing the bare minimum and putting you at risk with “Legitimate Interests” or are they actually committed to best practice and providing you with a lawful source of candidates who know what is happening with their data and have given “Consent” to an application with your company? Remember, you’re paying for a service so why not insist on getting one?
Stewart Smith – Self-professed recruitment expert and Bristol’s least hated IT recruiter.
– If you’d like some help understanding what GDPR means to you as an employer or redesigning your recruitment process or just getting to the bottom of where all the talented employees you need to hire are DM or email me firstname.lastname@example.org