Introduction. Ignoring the impact of the GDPR on your recruitment team is opening up your business to substantial risk.

Transcription

1 THE GDPR PLAYBOOK

2 Introduction The GDPR requires you to do a number of things and with our GDPR Playbook, you can become a beacon of trust with an approach that is in line with the spirit of GDPR that adds value for your candidates and creates a return for your business. The General Data Protection Regulation (GDPR) will apply and be enforced in the UK from 25th May At a high level, the GDPR requires that you are able to demonstrate your compliance through documentation and how you have assessed risks and mitigated risks that you create for others in holding and processing their personal data. The GDPR creates some key challenges for recruiters around some of the key principles that need to be upheld. The requirement to keep data accurate the ICO have indicated that they consider this a key issue for the industry - and not keeping data longer than is necessary both require a massive cultural shift, and the transparency requirement is also a challenge. Recruiters are often holding data on individuals without the individual s knowledge. If you have no candidate engagement, out-of-date contact information and poor-quality candidate profiling then you have three choices: Ignoring the impact of the GDPR on your recruitment team is opening up your business to substantial risk. It isn t just about the consequences of complaints, investigations, fines, and reputational damage though there is massive opportunity cost of not following GDPR. GDPR is the perfect opportunity to become a recruitment team that operates best practice. Gain the competitive advantage by creating a strategy to be not only compliant with data protection regulations but by building world class talent pipelines now and in the future. Take the opportunity that GDPR represents to become a best practice recruitment team. Do nothing and risk a substantial and potentially business critical fine. Delete all candidate records that you have had no engagement with and lose decades of investment. Take a proactive approach to make sure you are GDPR compliant.

3 About The GDPR The key principles of the GDPR are really easy to grasp especially if you put yourself in the shoes of a candidate. Although the GDPR is a data protection regulation, the first principle of it states that: Every individual has a basic human right to privacy. The regulation is unusual as the jurisdiction to which it applies is not dependent on a physical geography but is dependent on the individual. In simple terms if you are holding the data of an individual that is a European citizen or a European resident or your business is based in Europe then the GDPR applies. Why is the GDPR happening? We find ourselves living in the information age where individuals have lost control over their own data and privacy. They currently have little control over their own personal data in that we don t know who has it, what they do with it and how they use it. This has led to the regulators bringing in new rights for the individual so that each one of us can take back control if we decide to do so. The second reason for the new regulation is that businesses have not been taking data privacy seriously. On a regular basis reports of data breaches take place where hundreds and thousands of people are affected. Individuals can suffer potential financial loss and at minimum inconvenience because a company has lost their data.

4 About The GDPR The GDPR requires that recruiters are accountable and take responsibility for the data that they hold. Recruiters need to respect a candidates right to their own privacy and control over their own data. They also need to take responsibility for the security of the data that is held by implementing appropriate organisational and technical measures. The 8 principles of the EU data protection law are: Lawfulness Transparency Fairness Accountability Accuracy Purpose limitation Minimisation Necessity Two of the most important principles are Transparency and Accountability. Firstly, are we being transparent to the individuals whose data we hold by telling them that we hold their data, what we are doing with their data and how they can exercise their rights over their own data? Does an individual know that we are holding their data so that s/he exercise his/ her rights? Secondly, as a business are we demonstrating that we are accountable through our actions, policies and processes for the security of the data and respecting the individual s privacy? The GDPR is not requiring that businesses are perfect, it requires that a business make an effort to embed data privacy into the culture and operation of the business. ANOTHER SIMPLE WAY FOR RECRUITERS TO THINK ABOUT THE GDPR IS A: THE RIGHT TO RECTIFICATION THE RIGHT TO ERASE THE RIGHT TO DATA PORTABILITY THE RIGHT TO BE INFORMED GOOD DEMONSTRATION OF PRIVACY IN RECRUITMENT

5 Get the right people involved Who will be the GDPR subject matter expert (SME) in your recruitment team? For parts of this you will need someone from your technology team to be involved. It s sensible to appoint someone who can logically work through complex processes, and who can also explain these to others. This person will be responsible for training the team now and moving forward. Your business probably has a group who have been appointed to manage the overall impact of GDPR. Ask someone who is part of that group to join your team. A senior sponsor at board level is essential as there is business risk involved. This should be someone who isn t part of your team already. If you have a large recruitment operation with multiple teams for example within agency or a shared service centre - then appointing local GDPR champions in each team is sensible, as relying too much on the SME could create a bottleneck.

6 The key issues The GDPR will impact you if you process the personal data of any person covered within the scope of the regulations. Processing means: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. In recruitment terms, this covers most of the end-to-end cycle and will apply to identifiable candidate data. If you work in an agency, then it may also apply to identifiable client data too. D The key points to note are: The GDPR applies to not only organisations operating within the EU, but those that operate within the EU or process the data of data subjects. The GDPR covers personal data and sensitive personal data of data subjects. Data Subjects are people who live in Europe. The scope of personal data and sensitive data is now a little wider - IP addresses, for example, can now be considered personal data. Sensitive personal data now includes biometric data. Knowing under which legal basis of data processing you are operating. If working under consent as your basis of processing, under the GDPR it must be freely given, specific, informed and an unambiguous indication of the individual s wishes. This area however is subject to interpretation. Data accuracy subject data that is processed must be kept up-to-date. Transparency - your company needs to be able to demonstrate how you comply with the requirements of the GDPR. This requires producing a number of pieces of compliance documentation and retaining records of compliance. We advise that you use a lawyer or a data privacy expert to help you with this. Your compliance document needs to show the policies and processes that you have put in place in order to maintain compliance. The purpose of processing and the retention period applied. You can only use data for the reason that you have specified and you have to be clear about how long you will hold that data for. The rights that subjects have relating to data that you process. In addition to accuracy and transparency, this also includes access, deletion, withdrawal, portability, restricting processing and stopping processing.

7 Understand the cause of risk Recruitment operations both in-house and agency - spend a substantial amount of money and time on Applicant Tracking Systems (ATS) and Candidate Relationship Management (CRM) products. The ultimate end user though is not a marketing or data specialist it is a Recruiter. The behaviours of your typical Recruiter are more than likely based around short-term objectives filling the jobs that are live at the moment. This means: The most up-to-date candidate information on your system will be new candidates, not existing candidates. Most content sent by if not all will be related to jobs. This will mean that open and click through rates will be poor. At least 10% of the addresses that are stored in your system will be invalid so anything you send will not reach the intended recipient. Candidates preferences will be incorrect as typical recruitment teams simply lack the capacity to keep them up-to-date. Opt-ins to receive marketing updates will not have been recorded. Opt-outs will rarely have been recorded, actioned and certainly not processed by recruiters. A high number of ATS/CRM platforms do not, as standard, give candidates the ability to opt-out of communication from your business.

8 Understand the cause of risk Check your CRM log for communicating with people. Does a typical look like this? Then you have a high-level of risk, a less-than engaged audience and room for improvement. This is not about blame this is an industry-wide challenge.

9 Understand the data sources you use ATS Job Boards LinkedIn To truly understand your data, you must start at the source and understand what data your recruiters use and why they use the sources that they do. In addition to the sources, what specific information are you capturing about people? This is where things can start to get a little bit messy, so visualising it can help try Canva, draw.io, or if you like mindmaps then XMind is awesome and really powerful.

10 Questions for your data processors Data processors are your supply chain. Typically, this can include your CRM provider, job boards, social media and any other provider who supplies you with data or does something with the data that you provide them. Questions for them should include: What security measures so they have in place? What measures have they taken to comply with the GDPR Where you work with a business that supplies you with data either directly or via a tool - then they should have a robust contract with you that includes data protection. You should understand how you can use this data as once you start processing it, you become responsible for that data (irrespective of how you acquired it) Pro-tip don t only think about where your data is coming from think about where it is held and where it goes. Remember that once you start processing it you become the controller. As a controller, not only are you required under the GDPR to inform an individual within 30 days that you are processing their data, if you intend to pass it to a 3rd party then it must be sooner. Ask 3rd parties from whom that you acquire data:- Where do they get their data from? Do they clearly show people their data and privacy policies when their details are being collected? How do they guarantee that the data is correct? When was the last time the person was contacted? Are the individuals aware that their data may be transferred for use by a 3rd party?

11 How data is held and where does it move Once you know where the data comes from and where the data goes, then you need to review all of the actions or processes that are carried out. Questions you should be asking include: Do we hold prospective candidate data as we proactively source? How long do we hold data for before considering deleting it? Is the information that we are holding up-to-date and accurate? What channels do we communicate with candidates on? Who does information about candidates get sent to and how are they managing it think about both internal and external sources (Onboarding? Payroll? Marketing?) Does anything that we do automatically profile people based on the data that we hold about them? What is your legal basis for processing candidate data? Pro-tip secure processing of personal data is a key part of data protection. When you send candidate information internally or externally, how secure is it really?

12 The legal basis of processing data This is the big question. Do you have the legal right to process data about your candidates? Under the GDPR you must be able to demonstrate how you are complying with the GDPR and that you have the legal right to process the data of each subject. This will form part of your privacy policy and data privacy documentation and should be reviewed by your data privacy lawyer. There are six legal bases available for processing data. They are all valid reasons and there is no hierarchy - one reason isn t better than the other. Generally, only three will apply to candidates in recruitment so we will focus on those. Contractual necessity - This is where there is a legal reason for holding data. For example, you need to hold data of your temporary workers as you need their data in order to pay them under your contractual responsibilities to them. Consent - You are holding data because you have the consent of the individual. There are problems with consent however as it has to be freely given and the candidate cannot be detrimentally impacted if they do not give you consent. Legitimate interest - You are holding data because you have a genuine business reason for holding the data. This means simply that to process candidate data you need only one of the three legal bases available to you. THE RIGHT OF ACCESS THE RIGHT TO RESTRICT THE RIGHT TO OBJECT THE RIGHT TO BE INFORMED Each of these require that you also fulfil the other obligations of the GDPR fairness and transparency.

13 The legal basis of processing data There is an issue with one of the legal bases however consent. A key part of the GDPR is that a data subject must not be penalised if they do not give consent, withdraw consent or exercise any other right that they have. In recruitment, this means that if a candidate does not give consent, withdraws consent or exercises any other right that they have then they must still be able to be considered for a vacancy. Confused? It is a paradox. This is why our recommendation is that you avoid consent. The only exception to this rule is when sensitive personal data is involved this can include bank details, national insurance numbers, and more. If you process this, then consent MUST be received. COMPLY

14 The legal basis of processing data Here are some scenarios to think about. 1. You attempt to contact someone on LinkedIn about a specific vacancy. They don t respond, so you then find their personal address. You send them an , and also create a record for them on your CRM. 2. Someone has a record created on your CRM, but has not been contacted for three years. You are not sure if any of the information is correct or not. 3. A consultant brings 100 CV s that are past prospects from their previous roles. They insist on holding them in a secure folder on the server. 4. Someone applies for a vacancy via a job board. You then load that application and all of the attached information to your CRM system. In each of these examples, do you have the legal basis to process the candidate s data? Making sure that your outreach initial engagement that takes place over any medium as appropriate will help. As an example, when you send an , making the reason clear for saying hello will help. Being clear doesn t mean immediately talking about jobs! This is very different to approaching candidates with no specific role in mind, contacting them based on poor quality searches or spamming with jobs.

15 It would then be best practice from May, when you qualify someone and add them to your CRM, to ask them to then opt-in to other forms of communications such as marketing. This can be a standard that includes a one-click link to their communication preferences. It is important too that this contains a link to your privacy policy. This could even be a Tinder style swipe system. If you are attempting to contact a prospective candidate, then only process their information for as long as you need to. By attempting to contact them within 30 days, then you have met your notification obligation but that doesn t mean you can continue to process their data indefinitely. Pro-tip however with Candidate.ID you can continue to keep in touch with the candidate by sending them amazing content on a regular basis but with the option to opt-out at any time. It is important to also include a link to your privacy policy on every piece of communication that a candidate will access , landing pages, If the candidate engages with this content opens and clicks through then we suggest you can continue to process their data. If they do not engage, then Candidate.ID can automatically unsubscribe people based on time-bound rules.

16 The rights of candidates Practically speaking, the rights of subjects mean that you need to: Once you have established that you have the legal right to process candidate data, your responsibilities do not stop there. It is important that you understand and meet the rights that candidates may have to: Access this includes access to the purpose of the processing, what data is being stored, the period that data will be processed for, and to be notified within 30 days that you are processing their data. Rectification correction by you of any incorrect data you hold about someone. Erasure (and to be notified of this in a timely manner) the right to be forgotten. Restriction (and to be notified of this in a timely manner) the right to stop parts of how their data is processed Portabilty the right to receive all personal data concerning the subject in a common format but also the right to transfer that data to another controller. Object the right to stop all data being processed. D Pro-tip Do not handle breaches internally it is too much of a risk Tell people how they exercise their rights under GDPR. This should be part of your privacy notice. Have your privacy notices clear displayed on your website and linked to every that is sent from your business. Every sent should give the person the opportunity to opt-out from that type of communication. Have a process for dealing with Subject Data Access Requests. Have a process for quickly updating out-of-date information and do this on a regular basis. This is going to be an area that the ICO will focus on. Notify individuals within 30 days that you are holding their data for new candidates created. Set retention dates around all of these records and then demonstrate how you are keeping to these and crucially apply them retrospectively. A significant change has also been how you deal with breaches. A breach must be reported to the ICO within 72 hours but it is important to understand what constitutes a breach. You need to have a SWOT team appointed something that might be included as part of your cyber insurance who must be notified immediately if something occurs that could be a breach. They will then help you decide whether it is actually a breach and what action is required.

17 Managing the rights of your candidates automatically & maintaining compliance on an ongoing basis Managing the rights of candidates under GDPR can become a huge administrative burden so it is important that you consider how this can be automated. Your business should have a tool that has the capability to manage these rights with as little human intervention as possible. These keys workflows include: Notifying candidates that you are processing their data within the required timeline. Allowing candidates the opportunity to update their own preferences so that their data is only being processed the way they want it to be. Unsubscribing candidates who are inactive. Making every effort to engage with prospective candidates who have not engaged whilst respecting their privacy. Renewing the legal basis of processing for candidates when they have passed their retention date (this applies to your existing data and needs to be applied retrospectively). Requesting on a regular basis that a candidate provides their most up-to-date information. Retrieving up-to-date data from publically available sources to keep candidate information correct. Giving candidates the opportunity at every point of engagement , SMS, landing page and website to stop their data being processed easily. Tracking what the legal basis of processing was and when this was established. Keeping a record of when a candidate has withdrawn their permission for your to process their data.

18 Managing the rights of your candidates automatically & maintaining compliance on an ongoing basis Not only does automating this reduce your administrative burden, it makes maintaining compliance on an ongoing basis easy. To be compliant moving forward, follow these key steps which can be automated with Candidate.ID.: Any new candidates who you are processing must be notified of this within 30 days. If candidates do not engage with your communication, then you should make repeated attempts to encourage them to engage with your communication. If they do engage with your communication then continue this process, making sure that they continue to engage. If, for any reason engagement fails, then move into a stream of content that has the explicit purpose of reengaging the candidate. At each point of engagement: Give the candidate the opportunity to say no to their data being processed. Give the candidate the opportunity to update their data. Give the candidate the opportunity to change their processing preferences. Track the legal basis of processing for each individual candidate include the data that this was last updated. Candidate.ID will also, due to its privacy by design nature, support you with the eprivacy regulations which will come into force soon. eprivacy replaces the Privacy and Electronic Communications Regulations and has a significant impact on direct marketing.

19 What about my existing database? Every day, people ask Candidate.ID if they need to delete their existing database to be compliant with the GDPR. No, you don t even if you have not tracked their permissions. But start to fix it NOW. Do not wait a day longer. Welcome to the Candidate.ID Candidate Washing Machine The Process Load Pick a segment of your database that you want to start the process with. Export this from your existing system and send to Candidate.ID. Our technical team will clean this list, removing irrelevant data and addresses that are no longer valid. Wash Do you have a marketing team or a plethora of content already? Great we can repurpose this. If not, that s ok our expert team of marketers at Candidate.ID can help you create some awesome content. To implement this solution, begin a five-week nurturing campaign that is sent by . Every single will have a clear opt-out message, giving people plenty of opportunity to unsubscribe or request deletion. This campaign can engage up to 65% of people within your database this is far in excess than what you will be achieving at the moment.

20 The Process Rinse The database will be enriched naturally as you will know which addresses are active and which are no longer being used. And as you have put a process in place that allows people to update their data with you, that will also help to improve data quality. Once the first five weeks are complete, the Candidate ID team will also help to enrich the information of those people who have engaged with the campaign. They will find information from a variety of different public sources, so make sure that your policy states that you may cross reference identifiable data against these. This updated data can then be added to your CRM or ATS. After 30 days - once you have a fair idea of how many candidates no longer engage with your content you should move inactive candidates to your activation pipeline. This pipeline should be targeted with content that aims to engage candidates quickly. This could mean: More direct subject lines include first names or a call-toaction in the subject line. Last chance content the recruitment equivalent of lowstock. Giving a chance to easily talk to a recruiter or line manager one-on-one. Repeat Now, repeat this for all segments in your database. You must continue to contact those who became active during the implementation stage to maintain consent. You could drop this to one or two s per month instead of weekly. The outcome Now, repeat this for all segments in your database. You must continue to contact those who became active during the implementation stage to maintain consent. You could drop this to one or two s per month instead of weekly. Your existing database is now GDPR compliant. A transparent process is in place should there be any challenges from the ICO about how you manage existing candidate data. Your data quality will dramatically improve through a number of different sources. You can clean up your database by deleting those with invalid contact information or who have not engaged with your campaign. It will give you a picture of who your live prospects actually are through ID Score. Candidate.ID then allows you to automatically unsubscribe or delete.

21 Data security At this point, you will be glad that you invited someone from your technology function to be one of your players! You cannot be expected, within your team, to design these processes. But you should make sure that someone else does. Data Security is one often ignored area by recruiters in GDPR. Look back at your data sources and the flow of data. Are there weaknesses within the communication of personal data both internally and externally? This means: Do your team lock their computers, tablets and mobiles religiously? If you print CVs, what happens to them when they don t get collected or when they are no longer needed? What do your clients and line managers do with CVs when they are no longer required (either soft or hard copy). How are passwords for supplier websites stored and managed? Is there an adequate level of security software installed on your company devices that will protect you against malicious software? Do you password protect CV s or profiles sent by to clients? Pro-tip All training relating to GDPR is a key part of your defence in the event of any complaint that may be raised against you. Make sure that this is scheduled and actually takes place!

22 Conclusion As I mentioned earlier, there is no one-size fits all approach to GDPR. But the key points that your play must include are: A transparent policy on how and why you hold data about your candidates. Any information you hold should be correct and regularly updated. You should either have consent or legitimate purpose to hold and process candidate data. Data should only be kept for the period that is required. Ensure that your internal policies are documented and that every person involved in your recruitment function is trained regularly. This also includes other stakeholders like line managers or clients! But to be compliant you must take action against your existing data now and start applying it to new data moving forward. Create a transparent policy on how you will use personal data and communicate this. Engage with your database now with great content that they will like. Make sure that if a deletion request is received, you know how to action this. Put a mechanism in place for people to update their details with you. Ensure your team know how to deal with data subject access requests. Have legal advice on hand at very short notice. Use data industry standard processes to enrich the data. The ICO are clear on GDPR: You are not required to automatically repaper or refresh all existing DPA consents in preparation for the GDPR.

23 About Candidate.ID Candidate.ID was named as one of the 10 most disruptive companies at the HR Tech World Congress. Our talent pipeline software platform enables employers to create and nurture talent and importantly, to filter candidates based on our unique ID Score which measures their desire to work for your organisation, in real-time. This helps your recruiters cut time-to-shortlist and therefore cost-per-hire while simultaneously increasing quality-of-hire. Candidate.ID is only for the most sophisticated recruiters. For everyone else, we recommend recruitment CRM. About ComplyGDPR ComplyGDPR provides a comprehensive GDPR readiness service for Executive Search, Interim management and In- House recruitment teams. Our consultant team has in depth knowledge of processes from working in senior operational roles or as consultants in these businesses. We have 75 years of combined experience gained from a variety of firms including 4 of the top 6 global search firms. ComplyGDPR provides a modular GDPR toolkit that helps you prepare your business for the introduction of the GDPR on 25th May 2018.

24 Facebook YouTube LinkedIn Candidate.ID 5 Oswald St. Glasgow G1 4QR Twitter 2018 Candidate.ID ltd. All rights reserved.