A Compliant Approach To Finding New Candidates

The adoption of the GDPR guidelines is of particular focus at present prior to its formal adoption and compliance date of May 25th. With less than two weeks left of the final countdown, countless businesses and industries are preparing to ensure that they are compliant and ready to implement new strategies, protocols and processes to accommodate this. We briefly outlined some of the key terms for GDPR in the recruitment industry in our blog.

This short series of articles hopes to address concerns of people on both sides of the recruitment process end-to-end. While I am no legal expert, the information herein is conveyed to best address the concerns and necessary actions for GDPR compliance, whilst also interpreting the relevant articles to help establish the transparency and consent-driven changes to how a candidate might experience the recruitment process themselves.


In terms of recruitment, there seems to be a great deal of confusion and apprehension relative to how compliance with GDPR might impact day-to-day practices. These go beyond the operational practices one would expect, such as ensuring that any data storage systems or candidate databases are fully secured and, hence, compliant. In these instances, the path to compliance is clear.

Privacy Policies, in particular, are of perhaps most prescience, as all organizations whose activities fall under the auspices of the GDPR must ensure that they are written or amended to ensure the privacy and protection of candidate data, outlining succinctly the options now available to everyone in terms of how their data is processed and the extended range of control that comes with the implementation of GDPR-compliant processes.


Initiating Contact and “Legimitate Interest”

Perhaps the most tumultuous area is in the initial contact of a candidate to whom you would not have had prior contact. Unfortunately, the 99 articles of the GDPR do not make this a straight-forward affair on an initial reading. Article 6 of the GDPR dictates that any processing of data, including the acquiring and use of data to initiate contact with a potential candidate, must be done with respect to ensuring that there would be no impact on the rights of the data subjects themselves relative to “legitimate interests” of the data controller and the subjects.

The use of the term “legitimate interests” is rather vague and can provoke a number of reactions on both sides of the recruitment process. For consultancies and agencies, “legitimate interests” can be derived as providing recruitment services for the mutual benefit of both the entity itself and the data subject, or candidate. For the candidate, the term may be interpreted as quite reflexive and, as such, may be greeted with a variety of reactions. The key here is in the recognition of the source of the data being collected and the regulations adhered to in this instance.


Recruitment Databases

In terms of locating and contacting candidates, the use of CV databases such as monster.ie or indeed.ie is commonplace. In such instances, it is at the behest and explicit action of the candidate that their data be made available to both companies and consultancies for the purposes of finding alternative or new employment through their usage of these databases. In these instances, the candidate has the ability to control what data is presented, and as such should be vigilant as to the level of personal, identifiable information contained within. Self-censure, such as the changing of a first name to an initial, or removing articles such as a specific residence address, would provide little hindrance to a consultancy or firm looking for a candidate, as such details are often arbitrary relative to the skillset and experience a candidate has built up in their career to date. Crucially, the privacy policies of such databases explicitly state that the candidate has the right to erasure. Therefore, that while a candidate’s CV is available, that it would be deemed a “legitimate interest” for both parties should a firm or consultancy contact them as a third party using the same databases.


Another common practice is the use of LinkedIn for locating potential candidates. LinkedIn defines itself as a professional social network and engagement platform, whilst also hosting a powerful function for recruiters. As with any data uploaded to a CV database, it is again at the behest of the user as to what information is presented and, crucially, whether to set up a profile in the first place. While LinkedIn gives you the option of appearing as “Open to Opportunities”, it is still possible for firms and third-party consultancies to view your data as a candidate irrespective of whether or not the user has specified that they are open to contact by third parties and, as such, it can be considered a “legitimate interest” for such entities to contact users of the platform in relation to employment opportunities. In essence, if the data is made publicly available by the user, it can, therefore, be processed for the purposes of providing recruitment and related services.


Giving the candidate control

However, it is crucial that the traditional approach of initiating contact be addressed in order to ascertain the desires of a candidate relative to their predication towards such contact. At each level of the recruitment process, it is imperative that the candidate has the right to easily opt-out of both the process and, indeed, future contact should they so wish. In doing so, the entity is putting the power in the hands of the candidate and harnesses an attitude of trust and respect towards them. As part of this, they can also elect to not be contacted in future and request their deletion from any databases, candidate management, or ATS system used by said entity. (It is important to note that in such instances, it may be necessary for a data controller entity to retain a fundamental amount of data on the candidate in order to ensure that they are not contacted again, otherwise, with no prior knowledge of the candidate, it would be possible that they would be contacted at a later date by accident, again, through the “legitimate interests” of providing recruitment and related services to them.) As noted, GDPR-derived protocols should also be in place to contact existing and known candidates from a consultancy database and give them the option to opt-out of future contact prior to the May 25th deadline.


GDPR will bring changes to all industries and recruitment is no exception. In terms of the initial contact from consultants or recruiters for candidates who have their data on recruitment related databases or professional social networks, it is expected that this will continue as before with a greater appreciation for the source of this data and candidate interests. At Verify we view GDPR as an opportunity to foster an engaged, trusting and active relationship between consultants and candidates and in doing so bring about a better candidate experience.


In my next article I will be addressing how GDPR will impact the recruitment process should you choose to engage with that initial contact and pursue a new role.