Recruitment/HR teams as well as staffing firms hold large volumes of candidate data, which is turning out to be a key business enabler. Staffing firms and talent acquisition teams have developed dependencies on data of this kind to the extent that it is being increasingly used to assist in decision-making. With the introduction of recruitment analytics platforms which can draw on stored and classified candidate data, teams have started deriving additional value by processing, analyzing and placing it in a visual form. Pattern, trends, correlations that may not be detected otherwise can be read more easily using data visualization tools. Thus the importance of data in the people business cannot be overstated. The onus, this far, of safeguarding the data related to candidates and/or employees has been on the organizations/teams collecting such data.
However, the recent breach at the East Lindsay Council which first came out in the open in November 2018, compromising candidates’ data including current and expected salaries, and also their strengths and weaknesses and other interview details, proves that security is the responsibility of all the stakeholders dealing with the data. While such incidents may or may not affect ongoing processes, but may put a serious question mark on the data handling practices within the company. UK’s transition out of the EU has led many public sector organizations to cut costs and adopt Digital approaches to improve services to citizens, putting a lot of pressure on existing processes. In this melee, many organizations have failed to prioritize and address the concerns regarding data integrity and quality. One such organization that had to face the brunt of this is the NHS. A trust belonging to the NHS had accidentally published the personal data of hundreds of junior doctors. While the above have arisen due to negligence and poor internal handling of data, many other instances of data breach have been the result of intrusion, phishing, social engineering etc. In 2016, Michael Page, the global recruitment firm had stated that a “third party illegally gained online access to a development server used by our IT provider, Capgemini for testing PageGroup websites”. This was in the wake of an inadvertent data leak which affected 780,000 candidates registered with the company. These leaks expose the vulnerabilities within the system and the risks associated with managing peoples’ data. Such occurrences cast a serious doubt on the companies’ credibility, investor confidence, employee and stakeholder trust. The need for transparency and security of data has never been so strong as it is now; the introduction of GDPR will bring far-reaching changes to the recruiting business based on these two factors.
Understanding the different roles within GDPR
Article 1 of the General Data Protection Regulation (GDPR) “lays down rules relating to the protection of natural persons with regard to the processing of personal data ….and protects fundamental rights and freedoms of natural persons and their right to the protection of personal data”. GDPR is a data privacy and data processing/handling law, passed by the European Union, that applies to companies or organizations operating across the world who deal with the personal data of any EU citizen with the aim of securing and protecting such data. The law applies to processing of personal data which is defined as “any information related to a natural person, that can be used directly and indirectly to identify a person”.
The law has provisions for administrative fines which aims to be effective, proportionate and dissuasive, covered under Article 83 of the law. Infringement under various articles of the law attracts fines ranging from 2% to 4% of the total worldwide annual turnover and between €10mn and €20mn whichever is higher.
In the recruitment business, recruiters are dealing with the personal and professional data of candidates – date/year of birth, place of residence, contact numbers, emails, current and past employers, compensation, and work experience. It is important to understand the roles of different stakeholders who deal with data. Article 13 of the new GDPR regulation which has come in to effect from May 25, 2018 mentions the list of information that has to be provided by a ‘Data Controller’ (can be an employer or a recruiter) to a ‘Data Subject’ (in this case a candidate) while collecting personal information from the latter. The data controllers are fully responsible for managing, processing, maintaining and protecting this data and also ensure its lawful use. Staffing firms/recruitment teams may also double up ‘Data Processors’ – Applicant Tracking Systems (ATS) and other platforms/applications/software can also be categorized as ‘Data Processors’.
Impact of GDPR on the recruitment function
While there are other factors at work that influence recruitment operations, the impact of the GDPR on recruitment revolves around the following basic points:
- Business Need/Legitimate Interest: Recruiters source resumes to extract candidate information for a specific purpose and with a particular intent. Article 5 of the GDPR lays down the principles related to processing of personal data. It mandates that personal data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes” and the data which is collected for the purpose shall be “processed lawfully, fairly and in a transparent manner in relation to the data subject.” Further the data has to be collected using lawful means and has to be relevant for the purpose it intends to serve.
- Intent: With the law in place, recruiting companies may have to re-look at their old practice of sourcing and accessing information with a view to build a talent pool to be used later – such a possibility may not exist anymore. Companies are legally bound to collect and process information with a clear intent to reach out to the candidates within a specified time.
- Consent: The consent of the ‘Data Subject’ is crucial for any recruitment organization to go ahead with processing such information. GDPR mandates, as a part of its transparency directive, to obtain clear, concise, and explicit approval/consent from the candidate before such information can be stored, processed, and analyzed. This is important because recruiters, often, become privy to personal details of the candidates, other than professional; biometric, gender, cultural or genetic. The candidates need to be made aware of their options and rights (such as withdrawing previously given consent) should they feel the need to do so. This also includes providing the candidates the right to request deletion of any such identifiable information.
- Data Portability: GDPR defines Data Portability in Article 20 (1) “the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance……”. In other words data controllers will have to enable a framework using which data subjects can move, copy or transfer their data for their ‘own purposes’ across a variety of IT systems.
- Access to data: GDPR is all about transparency and rights of ‘Data Subjects’. While a candidate may request deletion of data as mentioned above, there are additional rights which are conferred on candidates – request to rectify data to remove anomalies, restrict further processing (not necessarily deletion) and also provide them access to their data. A template notifying the company’s Privacy Policy is mandatory on emails sent to the candidates, which details how their information will be processed, stored or if it will be shared with 3rd It is also the responsibility of the ‘Data Controller’ to intimate how safe is the data, what are the security measures in place and how long does the company plan to keep the data in their records.
Talent acquisition platforms (applicant tracking systems) & compliance:
Almost every recruitment/staffing business uses a talent acquisition platform that also doubles up as the ‘Data Processor’ as defined in GDPR. For a business to be fully compliant, it is not enough to comply with just the processes; all systems and software that captures, stores, queries and retrieves data also need to be GDPR compliant. Analysts feel that GDPR compliant applicant tracking systems (ATS) can be one of the key enablers around which recruitment operations can be made to sync with the regulations.
Consent Management is an important feature in an ATS which makes the job of compliance easier. Recruitment ATS should reflect a clear and consistent Data Consent policy. Many platform providers have incorporated ‘reminders’ that inform candidates about the impending expiry of a consent. Consent can mean different things to different people, some of them are:
- General consent on the purpose of collecting information
- Consent on storage and usage terms
- Consent to contact – receiving job alerts, newsletters and other content
Some of the world’s largest HR/Applicant Tracking System such as Oracle, IBM, SAP, ADP, iCIMS, Jobvite, Lever and Workday are adding newer functionalities to their products such as compliance toolkits,.
Trigger for a well-defined Privacy Statement
Compliant applicant tracking systems have introduced the functionality of informing candidates about the company’s Privacy Policy. The statement is a crucial part under the GDPR regime which helps the candidates identify the ‘Data Controller’ accurately using the information provided as well as details regarding the usage of the held data. An ATS geared up to accept the challenges thrown in by GDPR should also focus on ensuring the rights of the ‘Data Subjects’. A candidate needs to be aware of the various stages of the recruitment process and his/her right to access and review personal information when he/she chooses to. Many staffing firms depend on candidate consent to collect and store personal data which makes it mandatory for the GDPR-enabled ATS to provide a link or a mechanism to the candidate to request deletion of data or to anonymize application data. However, if a company has been able to clearly define and explain the legal basis for it to collect personal data of a candidate through a clearly-defined Privacy Statement, then retention of data becomes easier.
Data Protection
Candidate data is sensitive, as is the case with every other data type. A ‘Data Controller’s’ ability to ensure the safety and security of the data held in the ATS’ depends on the robustness of the latter. Data must be audited, accounted for and any contract with the ATS vendor should make it a central point to clarify the safeguards in place Encryption and confidential fields help maintain security of the data. It is widely believed that a SSAE 16 SOC1 Type II compliant AT system or above generally have strong security.
The Data Protection Officer (DPO) - an evolving role gaining currency
With the complexities arising out of GDPR, businesses that operate in the EU or handle personal data of citizens residing within the EU, are looking at hiring Data Protection Officer (DPO). The DPO is a senior leader who oversees the implementation of data protection measures with regard to GDPR within the organization. Strong experience in Cybersecurity is one of the most sought-after qualification in a potential DPO along with high-level experience in Data Management/Big Data. According to the European Data Protection Supervisor, the EU’s independent data protection authority “the primary role of the data protection officer is to ensure that her organization processes the personal data of its staff, customers, providers or any other individuals in compliance with the applicable data protection rules….”. The responsibilities of a DPO, interalia, as defined in the text of the GDPR document are essentially three-fold; to inform and advise the organization, monitor compliance with the regulation and being the ‘point of contact’ for authorities within the organization.
Data has emerged as the most important resource in the recruitment business and is key to decision making. New data-driven IT systems and delivery models have already become the norm. GDPR affects every recruitment/staffing organization irrespective of the size or complexity of the business. While smaller organizations are nimble and can transform quickly to settle in to the new regime, the larger organizations will have a longer journey before they become GDPR compliant. While there may be teething issues while implementing the necessary changes, organizations need to understand that compliance will eventually lead to competitive advantage.
