Though data breaches may grab the most headlines, becoming GDPR compliant goes much broader than just taking them more seriously.
It is about looking at people, processes and systems: how personal data is acquired, stored and used. For recruitment agencies, this requires an organisational culture shift.
This is particularly the case with larger companies that are handling higher volumes of vacancies and employing more recruiters processing more data and storing it on more decentralised locations such as hand-held devices.
I can see two key areas create significant challenges for recruitment consultancies.
1. The top down performance culture of recruitment
Clients companies have a preferred supplier list that recruitment agencies compete to get on and to stay on. Performance metrics are used to assess the performance of each recruitment agency through vendor management systems. Two key metrics are speed of response, and number of CVs submitted to each vacancy.
Recruiters compete for candidates in a race to be first over the line and claiming the candidate for a specific vacancy. This required speed of response leads to an arm’s length approach to candidate acquisition and in some cases consent not being sought.
2. Candidate details are kept and used for future vacancies
Personal data, including name, phone number, email address, a photo and salary information may typically be stored centrally on a database system. It is also likely to be kept separately by individual recruiters on their personal phones and tablets as a ‘hot list’ of candidates.
GDPR will impact how personal data can be acquired, stored and used. Even though a candidate may post their information on a job board or LinkedIn, that does not provide a recruiter the automatic right to download and process that personal information.
To obtain permission, recruiters will be required to confirm to the data subject exactly what their personal data will be used for, who specifically it will be shared with, where it will be stored and how long it will be stored.
Consent will be required for each specific purpose and the option – and method – to withdraw consent clearly demonstrated. This will be particularly significant for recruiters working with vulnerable individuals where the rights of those individuals will need to be specifically stated in a way that is easily understood.
GDPR will make it more difficult for recruiters to have arm’s length relationships with candidates and a lot more effort will need to be put into developing robust recruitment processes that meet the guidelines.
Many larger recruitment agencies are well on the way to achieving GDPR compliance, simply because their blue-chip clients will demand it to protect themselves from data breaches.
Small to medium sized recruitment consultancies may well struggle to come to terms with compliance because of the competitive nature of candidate acquisition. The industry’s high speed culture drives individual recruiter behaviour and can lead to shortcuts being taken.GDPR will necessarily change this.
GDPR compliance will be driven from two directions:
1. The filter down effect
A recruitment company’s clients will drive compliance of their supply chain. Recruitment agencies will be required to verify that they are GDPR compliant. This is simply a case of larger organisations managing risk.
2. Candidates seeking cover under GDPR and reporting breaches
Data breaches do sometimes occur, and recruitment agencies are particularly at risk because they handle large amounts of personal data.
We can expect candidates to seek out GDPR compliant recruitment agencies as assurance that their personal data will be safe.
There is a lot of candidate dissatisfaction with how their personal information is processed and after the May 18 deadline, this will likely result in candidates reporting this as data breaches to the Information Commissioners Office (ICO).
The worst impact from data breaches is not the fines but more about the potential damage to brand and reputation.
There is of course an opportunity for recruitment agencies to embrace GDPR and welcome the positives in it.
Compliance will require a change of culture and substantial improvement in how candidate information is acquired, stored, used and deleted. The opportunity is in how recruitment agencies engage with candidates and clients to ensure that they are acting in the best interest of both.
Performance metrics measuring the value of candidate and client relationships and the security of personal information will emerge as being more significant. Both clients and candidates will likely seek out recruitment agencies that can demonstrate a high level of GDPR compliance. And those consultancies that are following GDPR to the letter will find themselves head and shoulders above the rest.
By Graham Robson, business growth consultant, Business Doctors.