Unless you live in a black hole you cannot have failed to notice GDPR and it’s potential effects on recruitment. Today I would like to give my opinions on the subject and hopefully bust some myths that maybe causing sleepless nights along the way.
First off my advise does not count as legal advice and you need to make your own arrangements for checking the leagal validity of what I say and that of anyone who comments and/or offers further advice on this article. Also I am not trying to pass myself off here as some guru, I am happy to be wrong on any part so if you have a correction then make a comment and join in. Lets gets some real collaboration here.
To go forward you need to go backwards
If you think GDPR is new then yes it is, if you think it was plucked out of thin air then think again. It replaces the current the current Data Protections act, which is a bit misleading because it is a human rights law and is about your personal data having rights to be protected and/or how it is stored and used. Nonetheless the current data laws have plenty to say about what you could and/or should be doing with data.
I suggest if you have no data protection officer, then to take advice from one on how compliant you are under the current data protections act and start from there. This will likely pull open the door to compliance or non compliance for other laws like Privacy and Electronic Communications Regulations 2003 (PECRs) and what you do with email and CMS marketing and again unless you have been a PECRs guru for the past 14 years chances are you have been breaking some laws. PERC is to be replaced by ePrivacy laws FYI but they are falling behind and look not to be ready for the same time as GDPR.
So why go backwards, well some people have been getting in trouble by just going forward with good intentions and breaking current laws and then getting fines. See the story about Honda in the UK, By trying to get ready for GDPR they broke past laws of data with emails they sent out to their clients.
Now there is no need to panic here and while the smaller agencies may been a bit baffled by this all I mean most small agencies I know started their company as they worked as a recruiter and thought they would be better off starting out on their own and on their start up checklist is typically the following:
- Recruitment ATS
- Contracts with job boards
- Auto posting software for jobs
- Contracts with factoring firms
- An accountancy service
- Telecoms and Broadband
- A recruitment website
And off you go right. The lack of knowledge on the law has not come due to you being data pirates, are data terrorists. The lack of knowledge has come from thinking Bullhorn, Bond, Itris etc are recruitment data experts and keep your data safe.
- Monster, Reed etc would not sell you dodgy data, Idibu and Logic Mellon have you back on sending jobs and collecting applications they send to Bullhorn and alike.
- Hitachi Finance, Barclays, Sonovate etc have you covered on financial services.
- Smith, Smith and Brown ACA’s have you covered with the tax man and PAYE.
- Virgin or BT or Regus has your telecoms and wireless security done and hopefully RecruiterWEB made your recruitment website… All compliance done.
- Crack open the bubble on your first deal, take 20 people away to Vegas for your 10 year anniversary right?
Chances are with such credible names on this list all laws were closely followed. But still best to now go and check.
So what is my point?
Well now GDPR says you need to do a bit more. You need to put a few more checks and balances in place and a bit like those Can’t Pay we will take it away TV programs when the High Court Enforcement officers turns up at Volcano IT Services Ltd and it has changed to Volcano IT Services UK Ltd but there are no invoices to prove Volcano IT Services UK Ltd bought all the goods and chattels from Volcano IT Services Ltd. So they start listing your assets and taking them away.
In this context (wait for the data nerds to say this is the wrong metaphor) this invoice for your past collected data maybe what is called Consent.
Consent WHAT? I am holding data not asking their father for their hand in marriage?
OK so as much as GDPR posts say it is not ALL about Consent pretty much all myths an scare stories are about not having consent, misunderstanding the consent process or not having this consent documented.
The worst that can happen is that if consent is tested for your past data and you are found wanting then you will need to get rid of that data and subject to how far down the journey you are tested for GDPR breaches (by journey I think we have a period of 10 years of change ahead of us) you maybe fined, smacked on the wrist or shot at dawn (ok maybe not shot).
So how is consent defined?
From what I have read the definition of consent under the GDPR is:
Any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.
This means that consent must be:
Unbundled – separate from other terms and conditions
Active opt-in – no pre-ticked boxes or implied consent
Granular – applied to separate processing and purposes
Named – all those relying on the consent must be named individually
Verifiable – records must be kept to prove what consent was provided for
Easy to withdraw – just as easy as it was to provide
No imbalance of power – not available to public sector or employer/employee relationships
Refreshed – valid consent does not last forever
Who says what about consent?
Lawyers. Lawyers say if you can rely on other processing the do so and look to things like legitimacy od soft opt in (we will get to that).
GDPR Pundits who have some knowledge of the recruitment industry. They agree with lawyers and start steering you towards other ways to be GDPR ready/compliant than just consent.
GDPR pundits non-recruitment industry. Quite a lot I have found have been hung up on consent. They also tend to work for very large companies with huge data exposure and huge incomes that could be devastated by 4% turnover fines. So have data laws covered out the Yin Yang.
Applicant Tracking Vendors, Job Boards, Accounting system vendors etc. I have found very little public info but I am sure they are on the case.
Recruitment Website vendors. Some make up more myths like WordPress websites are going to be non compliant, others say GDPR what? A few have GDPR prepared for in so far as we know it.
What I say. Speak to a qualified GDPR recruitment expert and if it were me I would build a new consent path which is GDPR compliance while looking for legitimacy or evidence of soft-op in for using some of the past data you have for continuing marketing methods.
What is soft opt in?
There is a patch called the ‘soft opt-in’. This means that consent is not required if you are sending marketing message about similar products and services to your customers/clients or those you have negotiated with to provide products or services, as long as:
- You give them the opportunity to opt-out when you receive their contact information; and
- You give them the opportunity to opt-out when you send them subsequent messages.
- This processing is not based on consent, but rather the legitimate interests processing condition and can only be relied up on by the organisation that collected the contact details, not third parties.
- So it is the third parties part here that for me brings up the biggest risk and/or area of contention. The third party places you gained candidate data from are likely to have been job boards, CV data services, and research firms/CV data generation services, LinkedIn, Facebook (plus other social media platforms), walk ins, candidate referrals, clients who say help this guy find a new jobs and so the list goes on.
- Some of these third parties will have clear policies on data, be compliant with other data compliance laws etc. Others may have not looked so closely at the law because they had a similar start up process to the one I described about recruiters earlier.
It is here you need to make a judgement call, do you hold personal data for vanity, sanity or do you think you are compliant for both.
P.S. legal wizards tend to say if you wish to continue with SMS and/or email marketing then the soft opt in is not you best path and you should focus on consent for that and check the current PERC laws and your vendors compliance. It maybe your email-marketing vendor was very anal about you’re the data you loaded to their systems to mail our marketing messages. On the other hand you may not have so clear consent if your ATS does your mass mailing (subject to legitimacy).
Candidate Data Asset or Liability
So lets look at the data you have and what you may do with it under consent, legitimacy etc. (Data geeks we need not hear from you on compliance thanks, recruiters that is what you invite them in for).
Candidates in your ATS/CRM for sake of argument I am going to deal with the ones who came by your website and registered with you directly and for ease assume you have legitimacy because they asked you to find them work. Some or all of the following will apply to that data from other channels subject to how you prove legitimacy, soft opt in and/or consent
So lets break that down as follows:
- Permanent candidates registered in the last 12 months
- Permanent candidates that are 13 months to 36 months old.
- Permanent candidates that are 37 months or older.
There have been myths that you need to delete some or all this data. My view, supported by a few others, is that you have the legitimacy to talk to these candidates about the following:-
Permanent candidates registered in the last 12 months
The jobs you have that match their job seeking needs for the next 36 months and/or jobs that could improve upon the jobs they took if not through you. There are plenty of studies to say that permanent candidates are changing jobs in 3, 4 and 5 year windows and as GDPR is not about stopping trades just keeping safe those you wish to trade with the you should be all good here.
The service that you operate to candidates however probably needs an overhaul. There is plenty on LinkedIn to say that candidates want more from their recruiter. They want acknowledgement of their registration, permission based marketing of their skills to clients, quality feedback and more in the way of a relationship so they can trust you are trying your best. This to me is where GDPR helps to pull the recruitment industry out of the negative doldrums and into a very rosy future.
Legitimacy for future marketing comes then from doing things like the following:
Making a formal thank you for all registrations and setting out the candidates options to get services from you.
- Log all the jobs you present to them.
- Provide and log all the feedback for jobs they are declined for.
- Provide and log all interview feedback for jobs they are matched with.
- Provide and log all offers for jobs they are matched with.Follow up and log all resignation preparation.
- Log and follow up on all candidates who take up jobs and start at your clients.
- Offer a follow up relationship path for placed candidates that has 1 month, then 3 months, then 6 months, then 12 month triggers etc and log that activity.
- If a candidate drops out of one of your jobs and it is relevant follow this kind of process for all the jobs you work at. But here is the key in my view have a the same process of 1, 3, 6, 12 month follow ups for those you don’t place.
- Having follow up agreement and quality follow up procedures makes for very happy and loyal candidates to you and your brand.
- Delete those you know you positively can’t place and save yourself time for future SAR requests that lead to forget me request.
Permanent candidates that are 13 months to 36 months old.
Adjust this to suit your niche we know for example Actuaries are slow to make decisions, so 18 months might be quick for them to find the right jobs. Where as sales people might have a quicker churn.
Your follow up marketing should then decide when you need to move to the delete button.
Permanent candidates that are 37 months or older.
I am goanna say delete the data if you have no or had not credible follow up. You might want to push that out to 5 years. But that must be the limit I think. If you are still unsure then check your past sales that you have made from candidates who you have not spoken to for 5 years or more.
Now they maybe a flood of comments to say we found a person 48 months after they registered with us in our ATS in Monster and placed them. I am goanna say cool but if you had a better follow up policy they would have been flagged up in your ATS and you had a credible reason to call them.
Better data manage leads to more sales.
So what can you offer in your follow up strategy that is worthwhile?
I am going to break this down just a few examples, speak to your sales trainers and owners for more unless you are a RecruiterWEB client and we have a program of works coming for you. The examples are proactive and re-active marketing methods.
Proactive marketing pro step 1
Future salary survey data, it is the 3rd to 5th thing searched for by active and passive job seekers. Provide a quality source maybe via your website and you will have a credible long term relationship. RecruiterWEB clients can provide that data via our website platform and on the same page is jobs that may match theirs needs or pay those numbers. It is subtle and effective.
Proactive marketing pro step 2
Run a high quality, easily track able candidate referral program. There is plenty who say referrals don’t work I will say that our clients make them work.
Proactive marketing pro step 3
Offer highly intelligent job alerts for candidates to double opt in, and then manage according to need. As a preference have job alerts that may be suspected for 3, 6, 9, 12 months etc and all clearly permission based of course. I think the legitimacy is easily proven and it is a hassle free one click cancelation service if the candidate does want to be forgotten.
Also some great candidate job seeking data by LinkedIn, Indeed and Smart Recruiter recently proved that job seekers today turn out to be tyre kickers within 7 days of applying for a job massive percentage of the time. They subsequently come back to market in weeks, months and even years as real job seekers. Job alerts will help with that.
Reactive marketing pro step 1
Remarketing of your website visitors can be achieved via services like Google Ads, Facebook Pixels, LinkedIn Pixels. The user will see your content as they move around the web. For sure these is some laws and compliance to meet on remarleting and you should check with each vendor how they complay with GDPR and PERC and eMarleitng etc.
Reactive marketing pro step 2
Be present online where your target niche candidates operate, be that blogging in biomedical communities to giving out road work travel blockages advice to HG1 drivers sat on rest break and using twitter.
Reactive marketing pro step 3
72% of all job searches now start online in Google. So you need a marketing fund/strategy for Google Adwords, Local SEO, Organic SEO, Banner Marketing etc.
So lets come full circle and end with consent.
If you are going to relay upon Consent for your future candidate marketing that consent needs to be watertight. And with the changes to ePrivacy laws some online marketing is going to get harder.
If you are going to rely upon legitimacy then speak to an GDPR specialist with recruitment industry experience or who is making a rapid investment in their understanding of how recruiters think/work.
Above all else and probably the most valuable thing I have to say on GDPR and future candidate marketing is this. The ICO is more concerned in my view about you having CV’s in unlocked filing cabinets that don’t get properly disposed of. Or that you are running needless risks by having duplicate candidate data in multiple IT systems like why does your website vendor insist candidates have to put a copy of their CV in the recruitment websites data base just so they can use a job alert or apply for a job. We have removed that need from our websites and had a higher take up of job alerts as a result. GDPR talks about needless data duplication and this has to be one of them. You need a GDPR consultant not to dispel myths but to tell you where your present and future risks are so you can adapt and then thrive.