Right from the get-go, GDPR has been a lot to get on top of. Recruiters who are armed with the right tools have not been intimidated though one year on. To be successful, recruitment teams will always have to collect and analyse personal data. GDPR establishes the need for personal data held to be kept accurate, not held longer than necessary, and to be transparent in communications with the individual about what data is held and why. This has required a significant culture shift, as recruiters previously held data on individuals without the individual’s knowledge, and for long periods of time. Rocked by the substantial fines already issued, employers are completely rethinking their approach to data management and governance to ensure ongoing compliance across all regulatory areas. Google’s $57 million fine by the French Data Protection Authority; Flybe, a leading UK airline, car manufacturer Honda and retailer Morrisons were all served substantial UK fines by the ICO for sending communications to users without their consent. Pub favourite Wetherspoons shocked the country by announcing that it was deleting its entire email database.
The Main Causes of Risk
Organisations typically hold data on individuals for recruitment in the ATS/CRM systems. This means:
- The most up-to-date candidate information on your system will be new candidates. Existing candidate data will almost certainly be already out-of-date.
- Most content sent by email – if not all – will be related to jobs. This means that open and click-through rates will be poor.
- At least 10% of the email addresses stored in your system will be invalid so anything you send will not reach the intended recipient.
- Candidate preferences will be incorrect as typical recruitment teams simply don’t have the tools or capacity to keep them up-to-date.
- Opt-ins to receiving any type of communications will not have been recorded.
- Opt-outs will rarely have been recorded, actioned and certainly not processed by recruiters.
- A high number of ATS/CRM platforms do not, as standard, give candidates the ability to opt-out of the different types of communications from your business.
Pressure on Current Database Deletion
Conversations with DPOs (Data Protection Officers) around GDPR compliance continues to be a challenge for talent acquisition teams. Almost all of our customers have come under pressure from their DPO to delete their entire talent database unless they can prove compliance. Working through the issues, we’ve been able to the hold on to the most valuable of assets, as well as demonstrate the positive effects of GDPR.
The Impact of Pipeline Automation on GDPR
Pipeline automation is an invaluable tool for helping recruiters track candidate behaviour, understand their preferences, who is engaging and how they are engaging, and prioritise ‘best fit + hire ready’ for immediate follow-up. Pipeline automation gives recruiters the complete view of the end-to-end talent life-cycle. Automating talent pipelines is even more crucial in a world governed by GDPR. Without automation infrastructure in place, companies end up with disorganised data, the deletion of expensive databases, and ultimately costly fines. A pipeline automation solution helps you track and verify that data is managed in a GDPR-compliant way. Over the past year at Candidate.ID, as the leading pipeline automation solution, we have worked through with our customers the many challenges and changes from GDPR. Here are the 9 major benefits realised by underpinning their workflows with pipeline automation:
1. Transparency Leads to More Engaged Candidates
One of the natural consequences of making the hiring process and data collection of applicants more transparent, are more engaged candidates. Candidates who are highly-engaged are less likely to opt out. In fact, less than one percent of our client’s candidates opted out following GDPR. When candidates feel that a company is respecting their information, they are more likely to interact with the hiring process.
2. Turning Existing Databases into a Talent Goldmine
Our clients often ask us if they need to delete their existing databases to be compliant with the GDPR. No, you don’t – even if you have not tracked their permissions. But, if you haven’t started to fix it, then START NOW. Do not wait a day longer. Watch this video “Automating GDPR Compliance with McCurrach” or read the full GDPR Refresh eBook or all the steps you need to take to turn your dormant database into a talent gold mine, and:
- Ensure your existing database is fully GDPR-compliant.
- Establish a transparent process (ahead of any challenges from the ICO about how you manage existing candidate data).
- Clean up your database by deleting invalid data and those who have not engaged.
- Dramatically improve and maintain your ongoing data quality.
- Get a full picture of who your live ‘best fit + hire ready’ prospects actually are.
3. Automation Maintains Ongoing Compliance and Slashes People Time
Managing the rights of candidates under GDPR is a huge administrative burden and too big to be done manually. The risk of manual error is so significant that you need look at how this can be automated. Your business must have a tool that has the capability to automate the management of these rights with as little human intervention as possible. With its privacy-by-design nature, CandidateID contains the complete feature set to automate compliance with the requirements of the GDPR. End-to-end consent management enables companies to enforce the compliant capture and processing of data for both inbound (i.e. applicant) and outbound (i.e. sourced) candidates.
4. Data Governance Rethink
Good data management and governance is a must in 2019. Data in today’s world is now subject to government regulations, privacy restrictions and internal policies that limit data usage. Massive amounts of data and an explosion of different devices has forced employers to completely rethink their approach to how they manage and govern data to ensure ongoing compliance across all regulatory areas. Today’s digital landscape teams with talent interacting with employers across many channels and many devices — mobile phones, tablets, laptops, desktops, apps and countless other touch points. This digital transformation is exciting, but it also presents enormous challenges for employers. At the centre of this challenge is the need to create an individual talent profile that represents everything an employer knows about that individual. This includes their behavioural data, ATS/CRM data, level of interest/engagement and their current real-time compliance status. We developed Candidate.ID with that responsibility at the core. It offers advanced data privacy compliance solutions through automated compliance management, reporting and best-in-class candidate data management. Candidate.ID also helps you to govern and control how data is used. The business risk you are exposed to from your data is strongly controlled by your ability to know what data you have and where it came from, to catalogue the source and categorise it, and to manage the myriad of regulatory and policy limitations on its use. Candidate.ID also provides a robust, powerful data governance framework that enables you to catalogue and categorise your data. This framework also helps you define policies for how different categories of data can be used.
5. Outreach – Underpinning a New (Sourcing) Process
One of the most complex areas of GDPR is around direct sourcing to build up your talent pool and establish that initial connection with the candidate. You may have found a profile on social media, or searched a job board, but the candidate hasn’t given you the right to copy their data into your system, even if their profile was on the public web. Once you have qualified someone, you have to then make sure that your outreach across any channel is proportionate. You also need to set up the legal basis for you to hold and process that individual’s data. The key is to be able to prove you have the legal right to process and hold candidate data. That is where the comprehensive tracking of candidate behaviour in pipeline automation comes in.
6. Meeting the Rights of Candidates
Once you have established your legal right to process and hold candidate data, pipeline automation makes it easy to ensure you also meet the rights that candidates have in regard to their personal data. For example, you can:
- Mandate every candidate communication sent from your business to contact links to your privacy notice.
- Mandate every candidate communication to give the recipient the opportunity to opt out from that type of communication.
- Automate the updating of out-of-date information and set this to run on a regular basis.
- Create automation rules to ensure all individuals are notified within 30 days that you are holding their data for new candidates created, and make sure no one is missed.
- Set retention dates for how long you can hold different types of profiles. Set up time-based automation rules to automate the process of maintaining ongoing consent.
7. Keep in Touch Continuously
Under GDPR, you are only allowed to process candidate information for as long as you need to. Contacting them within 30 days means you have met your notification obligations, but that doesn’t mean you can continue to process their data indefinitely. With Candidate.ID, however, you can hold their data by continuing to keep in touch by sending them content of interest on a regular basis, but always with the option to opt out at any time. Provided you can prove the candidate has engaged with this content, across any digital format, you can continue to process their data. If they do not engage, then Candidate.ID can automatically unsubscribe people based on time-bound rules.
8. Making GDPR the Catalyst for Hiring Advantage
At Candidate.ID, we view GDPR as a tremendous opportunity for recruitment to develop deeper, more trusted relationships with the talent you want to attract and hire into your business. To navigate the GDPR and continue to blaze a trail in talent acquisition, you need to balance talent-centricity, governance, and compliance. Candidate.ID allows talent acquisition teams to work with GDPR in confidence, and to use the GDPR as a catalyst for hiring advantage.
Conclusion: Automated GDPR Compliance with Candidate.ID
With its privacy-by-design nature, CandidateID contains the complete feature set to automate compliance with the requirements of the GDPR. End-to-end consent management enables companies to enforce the compliant capture and processing of data for both inbound (i.e. applicant) and outbound (i.e. sourced) candidates. Underpinning solid workflows with CandidateID’s pipeline automation will help you use GDPR as a catalyst for hiring advantage.