The recruitment industry divides opinion
The UK recruitment industry pumps £35bn into the economy every year. That is no small number. There are millions of people who found their current job through recruiters too. So why the melancholy, frustration or anger with such an economically valuable service?
Because of the other side of the industry; the recruiters who post fake jobs, use candidates to generate leads by finding out where else they’re interviewing, sending candidate CVs without permission or knowledge. Unfortunately, the list goes on, and as with all industries, the bad carries more weight than the good.
In a previous life I was a recruiter. I think I was a good one. I didn’t send more than than a couple of CVs to fill each job, never invented a role or placed a fake ad, always disclosed the name of the client in advance etc.
Doing recruitment well is complex, not complicated. Be honest, be transparent, do well for your clients and candidates; that’ll do it.
Recruitment is a challenging job to get right. Selling a car, or a house could be argued is simpler. One is a fixed thing, the other is the buyer. Recruitment has two buyers, two sellers and an intermediary trying to get the parts to fit.
With both parts being moving, the process inevitably involving some creativity and posturing (both sides), it’s a tough job sometimes. Compounded for the good recruiters, by the bad ones. Worth remembering that it’s not all malicious, for many it’s as simple as recruitment practices being outdated with the modern hiring experience.
The GDPR is offering the injection of quality that the recruitment industry needs. How much any recruitment firm benefits from the spirit of the regulation is how they answer one question:
Can I use legitimate interest as the legal basis for processing candidate data under GDPR?
Much discussion has been had over yes or no. If you do your research you will see that notable data privacy professionals (all active on LinkedIn), backed by sound interpretation of the GDPR, confirm that consent is the appropriate legal basis.
In recruitment consent is always an available option, for agencies and internal recruiters. And handily, it’s the most appropriate one too. You shouldn’t be thinking about legitimate interest. Consent puts the data subject (candidate) in charge of what happens to their data, and that starts unsurprisingly at the beginning of the relationship with a recruiter.
GDPR and candidate acquisition
Typically, when we talk about candidate acquisition, there’s two ways it can happen. First up, data is proactively provided by a candidate.
A job seeker sends you their info:
- registers their CV on your website
- applies for a role directly on your website
- applies for a role on one of the many job boards
- emails a consultant
- visits a branch
Consider any of the above, and consent isn’t onerous or prohibitive. It’s worth checking in with your job boards and/or aggregators to confirm how much information will be provided to candidates at point of CV registering on their site (their fair processing notice), and what information they’ll give on recruiters accessing data.
(to any job boards reading, if you haven’t already, letting candidates select between making their CV visible to direct employers and/or recruiters would be a good thing and support reducing some of this friction).
One job board promotes the fact that 6000+ direct employers search their site each month. What if I’m interested in those, rather than the 20,000+ recruiters that could potentially access my data?
It comes back to doing consent well
Best practice would be for the job board to list all the 3rd parties that COULD access my CV and details. Tough ask. A review of some current privacy policies shows they’re still in need of some work – one of the household names for example makes no mention of recruiters accessing then processing candidate data, or that the recruiter will be a Data Controller. Fair Processing Notices may still be updated; however, it is your responsibility to own your candidate relationships.
Good Fair Processing Notices, appropriate internal policies and do consent well!
The responsibility and control is therefore yours. That’s a good thing. That allows your business to prepare, standardise, define & execute best practice.
Operationally, you can create the processes, the policies and the operational oversight to ensure all candidates are treated the same, irrespective of point of entry, and deliver a great candidate experience.
Hello, I’m interested
By providing you with data directly a candidate is expressing an interest in your services today, either generally or for a specific role. Today isn’t forever, and the data isn’t yours. Engage with your candidates, and if they’re not engaged, what value do they bring your business?
When I meet recruitment directors they often comment that consultants rarely go to the CRM database as first port of call to fill a new role. I did the same. Not because the candidates aren’t on the CRM, rather there were so many irrelevant profiles – CVs years old, dead contact details – it was easier to find fresh and active candidates online. Begs the question, why bother having a database full of personal data you’re responsible for?
You look good, I think I’ve got a job for you
Which brings us to the second mechanism; going out and getting candidates:
- proactive job board searching and downloading
- one or more of the services that scrapes data from external sources and pushes it into the CRM
- headhunting through sites like LinkedIn
- referrals from other candidates
This is the area of most frustration. Recently, we ran a candidate survey asking questions about consent management preferences, sharing data with prospective employers etc. We had to stop as the responses predominantly bashed recruiters, which meant we weren’t comfortable trusting the quantitative data we were looking to use.
Think about going out and finding candidates and ask yourself two questions:
- Is it prohibitively complicated to capture consent from candidates?
- Do your legitimate interests in wanting to place me and make a fee outweigh my right to decide where my data is shared?
If, when you find a candidate that looks good, you contact that candidate, talk about your services, a specific role if you’ve got one. Before adding the candidate to the CV landfill.
Do that, and when you kick off your consent process (whatever that might be) the candidate will expect it, dare I suggest welcome it, and you have started the relationship well.If your CRM was full of candidates that are happy to work with you, surely that's a good thing? #GDPR #Recruitment Click To Tweet
If your CRM was full of candidates that are happy to work with you, that can only be a good thing. Additionally, for the recruiter on the ground, the database becomes the primary place to search for candidates – they are already there, with appropriate consents in place, ready to be contacted.
One consent doesn’t fit all
Consent isn’t a one-time thing. There are lots of types of consent. Broadly, for recruitment, I’d suggest:
- Baseline consent approving the recruiter to process the data
- Marketing preferences – can you contact me about job opportunities
- Role-specific consents – every role I’m put forward for, in advance, no exceptions.
When sending to a new client, it’s worth thinking about the information you’d like to provide the candidate – the company, the contact and role description, a link to that company’s Fair Processing Notice? More?
You’re responsible for your clients
It doesn’t take much searching on LinkedIn to see the complaints about recruiters using candidate data for their own purposes without consent. There’s also been a spike in end clients calling out recruiters for speculative CV sending (as a lead generation/business development tool). If you send a CV to a client, with personal data identifiable, the organisation you send that CV to is a Data Controller.
As a recruiter, there is an advantage that the client will be directly responsible for the data processing as a Data Controller. When the data is requested, all good. Where it’s speculative, is it reasonable to push responsibility where it may not be welcome?
Your clients are responsible too
The impact of the GDPR will result in more effort up front. I wouldn’t submit CVs to a client without agreed terms in place. You need to be clear on the type of relationship you have with your clients.
Equally, they need to be doing the same. If there’s no contract in place with you, and there’s no clear consent from the candidate – is the data transfer lawful? Answers on a postcard.
For any internal recruiters reading, this is an important consideration. You may be pitched by recruiters, as are direct hiring managers. How strong is the internal process to ensure it’s done right?
Collectively, responsibility to protect the rights of the individual, your candidates, is shared.
Ready to do candidate consent well? See how Obsequio can help your recruitment business manage consent.Obsequio for Recruiters
- Consent is the appropriate legal basis for processing candidate data.
- Consent must always be gained for sending CVs to clients
- Recruiters and clients share responsibility for candidates and their personal data
- The recruitment process should slow down, for good reason, when engaging a new candidate/client
We’ll be hosting webinars over the coming weeks, specifically looking at recruitment (both agency and internal) that will go into more detail about the legal and operational impacts of doing consent well, protecting your business, your clients, and most importantly, your candidates.