Unless you live in a black hole, you cannot have failed to notice GDPR and its potential effects on recruitment. Today I would like to give my opinions on the subject and hopefully bust some myths that may be causing sleepless nights along the way.
First off, my advice does not count as legal advice, and you need to make your own arrangements for checking the legal validity of what I say and that of anyone who comments and/or offers further advice on this article. Also, I am not trying to pass myself off here as some guru; I am happy to be wrong on any part, so if you have a correction then make a comment and join in. Let’s get some real collaboration here.
To go forward you need to go backwards
If you think GDPR is new, then yes it is; if you think it was plucked out of thin air, then think again. It replaces the current Data Protection act, which is a bit misleading because it is a human rights law and is about your personal data having rights to be protected and/or how it is stored and used. Nonetheless, the current data laws have plenty to say about what you could and/or should be doing with data.
I suggest that if you have no data protection officer, you take advice from one on how compliant you are under the current data protection act and start from there. This will likely pull open the door to compliance or non-compliance for other laws like Privacy and Electronic Communications Regulations 2003 (PECRs) and what you do with email and CMS marketing, and again, unless you have been a PECRs guru for the past 14 years, chances are you have been breaking some laws. PECR is to be replaced by ePrivacy laws, FYI, but they are falling behind and look not to be ready for the same time as GDPR.
So why go backwards? Well, some people have been getting in trouble by just going forward with good intentions and breaking current laws, and then getting fines. See the story about Honda in the UK. By trying to get ready for GDPR, they broke past laws of data with emails they sent out to their clients.
Now there is no need to panic here, and while the smaller agencies may be a bit baffled by this, all, I mean most, small agencies I know started their company because they worked as a recruiter and thought they would be better off starting out on their own. On their start-up checklist is typically the following:
- Recruitment ATS
- Contracts with job boards
- Auto posting software for jobs
- Contracts with factoring firms
- An accountancy service
- Telecoms and broadband
- A recruitment website
And off you go, right? The lack of knowledge on the law has not come due to you being data pirates or data terrorists. The lack of knowledge has come from thinking Bullhorn, Bond, Itris, etc. are recruitment data experts and keep your data safe.
- Monster, Reed, etc. would not sell you dodgy data. Idibu and Logic Mellon have your back on sending jobs and collecting applications they send to Bullhorn and alike.
- Hitachi Finance, Barclays, Sonovate, etc. have you covered on financial services.
- Smith, Smith and Brown ACAs have you covered with the taxman and PAYE.
- Virgin or BT or Regus has your telecoms and wireless security done, and hopefully RecruiterWEB made your recruitment website… All compliance done.
- Crack open the bubbly on your first deal, take 20 people away to Vegas for your 10 year anniversary, right?
Chances are that with such credible names on this list, all laws were closely followed. But still best to now go and check.
So what is my point?
Well, now GDPR says you need to do a bit more. You need to put a few more checks and balances in place. It’s a bit like those “Can’t pay, we will take it away” TV programs when the High Court Enforcement officers turn up at Volcano IT Services Ltd and it has changed to Volcano IT Services UK Ltd, but there are no invoices to prove Volcano IT Services UK Ltd bought all the goods and chattels from Volcano IT Services Ltd. So they start listing your assets and taking them away.
In this context (wait for the data nerds to say this is the wrong metaphor) this invoice for your past collected data may be what is called Consent.
Consent WHAT? I am holding data, not asking their father for their hand in marriage?
OK, so as much as GDPR posts say it is not ALL about Consent, pretty much all myths and scare stories are about not having consent, misunderstanding the consent process, or not having this consent documented.
The worst that can happen is that if consent is tested for your past data and you are found wanting then you will need to get rid of that data, and subject to how far down the journey you are tested for GDPR breaches (by journey, I mean I think we have a period of 10 years of change ahead of us) you may be fined, smacked on the wrist or shot at dawn (ok, maybe not shot).
So how is consent defined?
From what I have read, the definition of consent under the GDPR is:
Any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.
This means that consent must be:
Unbundled – separate from other terms and conditions
Active opt-in – no pre-ticked boxes or implied consent
Granular – applied to separate processing and purposes
Named – all those relying on the consent must be named individually
Verifiable – records must be kept to prove what consent was provided for
Easy to withdraw – just as easy as it was to provide
No imbalance of power – not available to public sector or employer/employee relationships
Refreshed – valid consent does not last forever
Who says what about consent?
Lawyers. Lawyers say if you can rely on other processing then do so and look to things like legitimacy or soft opt-in (we will get to that).
GDPR Pundits who have some knowledge of the recruitment industry. They agree with lawyers and start steering you towards other ways to be GDPR ready/compliant than just consent.
GDPR pundits outside the recruitment industry. Quite a lot I have found have been hung up on consent. They also tend to work for very large companies with huge data exposure and huge incomes that could be devastated by 4% turnover fines. So have data laws covered out the Yin Yang.
Applicant Tracking Vendors, Job Boards, Accounting system vendors, etc. I have found very little public info but I am sure they are on the case.
Recruitment Website vendors. Some make up more myths, like WordPress websites are going to be non-compliant, others say GDPR what? A few have GDPR prepared for in so far as we know it.
What I say. Speak to a qualified GDPR recruitment expert, and if it were me I would build a new consent path, which is GDPR compliance while looking for legitimacy or evidence of soft opt-in for using some of the past data you have for continuing marketing methods.
What is soft opt-in?
There is a patch called the ‘soft opt-in’. This means that consent is not required if you are sending marketing messages about similar products and services to your customers/clients or those you have negotiated with to provide products or services, as long as:
- You give them the opportunity to opt out when you receive their contact information; and
- You give them the opportunity to opt out when you send them subsequent messages.
- This processing is not based on consent, but rather the legitimate interests processing condition, and can only be relied upon by the organisation that collected the contact details, not third parties.
- So it is the third parties part here that for me brings up the biggest risk and/or area of contention. The third party places you gained candidate data from are likely to have been job boards, CV data services, and research firms/CV data generation services, LinkedIn, Facebook (plus other social media platforms), walk-ins, candidate referrals, clients who say “help this guy find a new job”, and so the list goes on.
- Some of these third parties will have clear policies on data, be compliant with other data compliance laws, etc. Others may have not looked so closely at the law because they had a similar start-up process to the one I described about recruiters earlier.
It is here you need to make a judgement call: do you hold personal data for vanity, sanity, or do you think you are compliant for both.
P.S. Legal wizards tend to say that if you wish to continue with SMS and/or email marketing, the soft opt-in is not your best path, and you should focus on consent for that and check the current PERC laws and your vendor’s compliance. It may be your email-marketing vendor was very anal about the data you loaded to their systems to mail your marketing messages. On the other hand, you may not have such clear consent if your ATS does your mass mailing (subject to legitimacy).
Candidate Data Asset or Liability
So let’s look at the data you have and what you may do with it under consent, legitimacy, etc. (Data geeks, we need not hear from you on compliance, thanks – recruiters, that is what you invite them in for).
Candidates in your ATS/CRM: for the sake of argument, I am going to deal with the ones who came by your website and registered with you directly and for ease assume you have legitimacy because they asked you to find them work. Some or all of the following will apply to that data from other channels, subject to how you prove legitimacy, soft opt in and/or consent.
So let’s break that down as follows:
- Permanent candidates registered in the last 12 months.
- Permanent candidates that are 13 months to 36 months old.
- Permanent candidates that are 37 months or older.
There have been myths that you need to delete some or all this data. My view, supported by a few others, is that you have the legitimacy to talk to these candidates about the following:-
Permanent candidates registered in the last 12 months
The jobs you have that match their job-seeking needs for the next 36 months and/or jobs that could improve upon the jobs they took if not through you. There are plenty of studies to say that permanent candidates are changing jobs in 3, 4 and 5-year windows, and as GDPR is not about stopping trades, just keeping safe those you wish to trade with, you should be all good here.
The service that you operate to candidates, however, probably needs an overhaul. There is plenty on LinkedIn to say that candidates want more from their recruiter. They want acknowledgment of their registration, permission-based marketing of their skills to clients, quality feedback, and more in the way of a relationship so they can trust you are trying your best. This to me is where GDPR helps to pull the recruitment industry out of the negative doldrums and into a very rosy future.
Legitimacy for future marketing comes then from doing things like the following:
Making a formal thank you for all registrations and setting out the candidate’s options to get services from you.
- Log all the jobs you present to them.
- Provide and log all the feedback for jobs they are declined for.
- Provide and log all interview feedback for jobs they are matched with.
- Provide and log all offers for jobs they are matched with. Follow up and log all resignation preparation.
- Log and follow up on all candidates who take up jobs and start at your clients.
- Offer a follow-up relationship path for placed candidates that has 1 month, then 3 months, then 6 months, then 12-month triggers, etc. and log that activity.
- If a candidate drops out of one of your jobs and it is relevant, follow this kind of process for all the jobs you work at. But here is the key in my view: have the same process of 1, 3, 6, 12-month follow-ups for those you don’t place.
- Having follow-up agreements and quality follow-up procedures makes for very happy and loyal candidates to you and your brand.
- Delete those you know you positively can’t place and save yourself time for future SAR requests that lead to forget me requests.
Permanent candidates that are 13 months to 36 months old
Adjust this to suit your niche; we know for example Actuaries are slow to make decisions, so 18 months might be quick for them to find the right jobs, whereas salespeople might have a quicker churn.
Your follow-up marketing should then decide when you need to move to the delete button.
Permanent candidates that are 37 months or older
I am gonna say delete the data if you have no, or no credible, follow-up. You might want to push that out to 5 years. But that must be the limit, I think. If you are still unsure, then check the past sales that you have made from candidates who you have not spoken to for 5 years or more.
Now there may be a flood of comments to say “We found a person 48 months after they registered with us in our ATS in Monster and placed them.” I am gonna say cool, but if you had a better follow-up policy they would have been flagged up in your ATS and you had a credible reason to call them.
Better data management leads to more sales.
So what can you offer in your follow-up strategy that is worthwhile?
I am going to break this down with just a few examples. Speak to your sales trainers and owners for more, unless you are a RecruiterWEB client and we have a program of works coming for you. The examples are proactive and re-active marketing methods.
Proactive marketing pro step 1
Future salary survey data is the 3rd to 5th thing searched for by active and passive job seekers. Provide a quality source, maybe via your website, and you will have a credible long-term relationship. RecruiterWEB clients can provide that data via our website platform, and on the same page are jobs that may match their needs or pay those numbers. It is subtle and effective.
Proactive marketing pro step 2
Run a high-quality, easily trackable candidate referral program. There are plenty who say referrals don’t work. I will say that our clients make them work.
Proactive marketing pro step 3
Offer highly intelligent job alerts for candidates to double opt in, and then manage according to need. As a preference have job alerts that may be suspended for 3, 6, 9, 12 months, etc., and all clearly permission-based, of course. I think the legitimacy is easily proven, and it is a hassle-free one-click cancellation service if the candidate does want to be forgotten.
Also, some great candidate job-seeking data by LinkedIn, Indeed and Smart Recruiter recently proved that job seekers today turn out to be tyre-kickers within 7 days of applying for a job massive percentage of the time. They subsequently come back to market in weeks, months and even years as real job seekers. Job alerts will help with that.
Reactive marketing pro step 1
Remarketing of your website visitors can be achieved via services like Google Ads, Facebook Pixels, and LinkedIn Pixels. The user will see your content as they move around the web. For sure there are some laws and compliance to meet on remarketing, and you should check with each vendor how they comply with GDPR and PERC and eMarketing, etc.
Reactive marketing pro step 2
Be present online where your target niche candidates operate, be that blogging in biomedical communities or giving out road work travel blockages advice to HG1 drivers sat on rest break and using twitter.
Reactive marketing pro step 3
72% of all job searches now start online in Google. So you need a marketing fund/strategy for Google Adwords, Local SEO, Organic SEO, Banner Marketing, etc.
So let’s come full circle and end with consent.
If you are going to rely upon Consent for your future candidate marketing, that consent needs to be watertight. And with the changes to ePrivacy laws, some online marketing is going to get harder.
If you are going to rely upon legitimacy, then speak to a GDPR specialist with recruitment industry experience or who is making a rapid investment in their understanding of how recruiters think/work.
Above all else, probably the most valuable thing I have to say on GDPR and future candidate marketing is this. The ICO is more concerned in my view about you having CVs in unlocked filing cabinets that don’t get properly disposed of. Or that you are running needless risks by having duplicate candidate data in multiple IT systems, like why does your website vendor insist candidates have to put a copy of their CV in the recruitment website’s database just so they can use a job alert or apply for a job? We have removed that need from our websites and had a higher take-up of job alerts as a result. GDPR talks about needless data duplication, and this has to be one example of that. You need a GDPR consultant not to dispel myths, but to tell you where your present and future risks are so you can adapt and then thrive.