Guest blog by Charles Hipps, CEO & Founder, WCN
Am I the only one seeing increasing numbers of resubscribe e-mails bombarding my inbox of late? There is now just weeks to go before the new GDPR laws finally come into action across the EU. Are you compliance ready or are you still wondering how do we make the recruitment process more respectful to candidates without losing our edge?
This is perhaps the biggest question we face from our clients as the end of May getting closer and closer. There is a concern that having to be so dedicated to compliance will hinder the candidate experience and make recruiting a dull, almost cumbersome, chore for active jobseekers, rather than passive. But what we have found is that there is no need to deviate away from highly engaging talent acquisition strategies. Yes, GDPR is a game changer in that changes to personal data laws mean you will have to obtain permission to continue to tell candidates about opportunities that you think they might find interesting outside of what they initially applied for with heavy penalties for breaches. But if you adjust your approaches well, then the need for panic is almost null and void!
The starting point has to be to make sure you understand the data you hold and how you process it.
At WCN, we are working with clients to understand this by auditing data stored under the terms of documentation, often referred to as an Information Asset Register (IAR) with risks being determined via a Privacy Impact Assessment (PIA).
This involves trying to answer the following killer questions:
- What data do you hold?
- Why do you need it? Is there a legal basis for requiring the information?
- Where does it comes from?
- How do you use it?
- Where does it go?
- How do you get rid of it?
- What are the risks?
The need for such scrutiny has been raised following a slew of recent high-profile breaches, most notably the scandal of Cambridge Analytica using data harvested from millions of Facebook users without their consent that has led to the former firm declaring bankruptcy.
Headlines continue to bring the issue of data security to public attention and digital natives are waking up to the fact that in the internet domain, personal data is not just valuable to them, but hugely valuable to others. As such, GDPR means that data can no longer often end up in the hands of marketing companies, analysts and fraudsters.
Recruiters have a duty to make candidates feel at the centre of attention in the hiring battle but must simultaneously respect the rights put in place by the Information Commissioner’s Office on how to handle data. The privacy statement must empower the candidate to be forgotten about if they choose and recruiters should respect these wishes in their approaches to delivering optimised candidate experiences. So, what do you have to be doing?
- Be transparent on every piece of data that is collected from an applicant – As well as information provided by the individual, that may include observations (e.g. tracking online behaviour), derived data (perhaps from combining with other data sets), and inferred data (e.g. suitability for a job).
- Your use of personal data may require consent from the candidate – Where consent is required it must be freely given, specific, informed and unambiguous. There must be a positive opt-in requiring an action by the candidate. Implied consent cannot be assumed.
- Explain your legal basis for collecting personal data – Being clear about your legal basis will reduce your reliance on candidate’s consent and will be necessary if you want to retain data if a candidate asks for it to be deleted.
- Have detailed retention policies – You may need different retention periods for different data sets.
- Explain individuals’ rights – Critically, this must include information on how they can go about exercising their rights.
There are a number of other ways of complying. Most obvious would be the paradigm of explanatory text followed by a confirmation checkbox (which must default to unchecked).
It is also appropriate to give clear instructions that by entering data into a form, the candidate is giving consent for the data to be used for the purposes described. It must be possible to attribute these actions to a unique individual but an ATS with a secure login process will ensure that.
If a candidate refuses consent for a non-essential use of their data then this must not restrict them from participating in the recruitment process. This means that you may need to make part of your data collection optional and you must be able to adapt your forms and your recruitment process according to the level of consent given.
A flexible, highly configurable ATS will help you maximise the data you can collect and the uses you can put it to. Once again, it will be important that the Privacy Statement addresses these requirements with extra annotation on forms for further explanations.
In fact, our research of client systems found 95% of processes did not need to significantly change for recruitment purposes – don’t panic!