Is the Recruitment Sector Ignoring GDPR?
In insight / By Stephen Peak / 02 July 2018
We sat down with Steve Peak, Head of Continual Service Improvement at Nasstar, who (in his own words) is busy developing a worryingly strong interest in GDPR consultancy.
Today, we’ll be talking to him about his latest views on GDPR readiness within the recruitment sector.
GDPR in Recruitment
One of the great things about my role is that I get to speak to lots of organisations in a given sector, so it’s a good way to pick up a general feeling about current perspectives across the industry.
In the recruitment sector, I’m still seeing a lack of appetite within some businesses for discussing anything GDPR related. There are many businesses that believe the GDPR won’t actually change anything, partly because there have been so many other ‘flash in the pan’ trends that never resulted in the disastrous outcomes that were predicted, such as the Y2K bug or the furore around tightening IR35 regulations. There was a lot of activity in the news, then the focus dies down and business carries on as usual. And many think that GDPR will be the same.
However, data protection regulations are not going to go away and the focus on achieving better data policies will only heighten, whether that’s driven by legislation or consumer opinion.
The latest issues around Facebook and Cambridge Analytica show that the public as a whole is waking up to the potential impact of sharing data online. There’s been a shift in how we think about social media and data sharing. Ten years ago, many people were keen to get involved with new social media platforms, baring all online and sharing lots of personal information on MySpace, Facebook, Tumblr and similar platforms. Then we started hearing about Privacy settings and identity theft due to social engineering through social media, and we started to think about how we could protect what we were sharing with strangers.
But now there’s an even bigger worry - we’re entering a new era, where, despite locking down your privacy settings, the companies such as Facebook and LinkedIn who you are actively sharing your data with, may now be sharing it for commercial purposes with other third-party entities.
GDPR will only become more prominent as the public becomes more aware of their own data rights and seeks out better ways of protecting their data.
But what about the recruitment sector?
I was recently at a recruitment industry expo, helping out on a Nasstar stand. We asked anyone that came by what they were doing about GDPR, and I would estimate that around 60% of the people we asked either didn’t know what their company was doing about GDPR, or was not planning to do anything.
We were quite shocked by this, especially in a sector that is built on maintaining and sharing the candidate information. Surely your business must have some data protection plans in place for handling such sensitive information?
The other thing I’m hearing from customers in the recruitment sector, especially within the finance departments, is that GDPR is an additional expense that they haven’t budgeted for. It’s a limiter on the business’ activities. It’s just another cost.
But GDPR is actually a business enabler
Complying with the GDPR shows that you are putting security at the heart of your business and that you take managing your clients’ data seriously. GDPR compliance can be used in your marketing activities to demonstrate your commitment to data security, especially as other businesses will be concerned about whether their suppliers and business partners are GDPR compliant.
We were recently speaking to DJ Marker, Finance Director at national recruitment firm, Grovelands, about the steps they are taking to manage GDPR.
“Internally within Grovelands, we have engaged with a GDPR specialist to review our data processes, and to track where and how our data is stored,” said DJ. “We’ve also just completed an exercise with our third party suppliers to ensure that they are also correctly managing any data they are provided, such as our CRM and application vendors who invariably handle our sensitive data through their software platforms.”
Companies want to do business with organisations who are proactively protecting data. Imagine if one of your clients found out that you had accidentally leaked candidates information from a recent round of interviews, including notes you had verbally been given by your client about each candidate. It would not only affect your reputation but also your client’s reputation. They can’t take the risk that their supply chain could lose sensitive data and damage their brand reputation.
In short, GDPR isn’t just a tick in the box. It’s critical for business growth and maintaining supplier relations.
Who is on board with GDPR?
Many larger recruitment companies who already have compliance departments in place are perhaps finding the transition to GDPR compliance easier than smaller businesses who are often having to juggle GDPR responsibilities with other job roles. That’s an area where we’re being brought in to help plug the gap for teams who need a bit of extra resource and expertise to figure out their GDPR position.
What’s stopping recruitment companies from becoming compliant?
One issue preventing recruitment businesses from becoming GDPR compliant is that there are a lot of ‘accepted’ marketing practices in the recruitment industry such as regularly mailshotting thousands of contacts. Many firms now recognise that these activities are not going to be acceptable under new GDPR regulations, however, some still don’t want to change their business processes because it’s how they’ve always worked.
Some firms are instead looking at innovative ways to capture insights about how to be GDPR-ready and best prepare their industry for the change.
“We set up a peer group of recruiters and specialists in the industry,” says DJ Marker of Grovelands, “which comes together to meet and discuss the GDPR and the potential impact it may have on the recruitment sector. There’s still a lot of uncertainty around the detail of the GDPR and how it will impact on recruiters collecting data from LinkedIn, job boards and candidates’ public social media profiles. If we have no commercial relationship with a candidate (i.e. before we’ve engaged with them formally), then what rights and responsibilities do we have over holding their information in light of the GDPR? These are some of the questions we are working on answering currently.”
Common concerns across the industry
I hear a lot of concerns from recruitments firms about GDPR, here are some of the main ones:
Firms are going to lots of events on GDPR, hoping to be given a silver bullet about what they need to do to become GDPR compliant. Unfortunately, it’s not that simple, as many of the recommendations are unique to individual businesses, their IT systems, their processes and their staff.
The GDPR regulations are still very vague and this causes a lot of frustration for companies trying to work with it and understand their position. All you can do at the moment is work with the current regulations and recommendations and refine these over time as detail around the GDPR becomes clearer.
The topic of consent is causing a lot of discussions. What does consent about handling data mean? Is it enough to sign up for a newsletter, or does more thorough approval need to be given to be GDPR compliant? Businesses should be looking at how they can automate their consent process so that it is built into processes such as newsletter sign-up or event registration, rather than leaving it to manual activity to sort out. Some companies are trying to work around having to gain consent, hoping to use implied consent however they are leaving themselves open to potential comeback in the future.
What recommendations would I give to recruitment companies at this point?
You can’t rely on IT and security alone to ensure GDPR compliance. IT and security do play a part, but specific processes and policies need to be in place to support those IT and security measures.
If you haven’t already done so, undertake a review of your systems and the data held within those systems. What is the data, what type of data is it and why do you hold that data? Assessing the data you have is around 25 – 30% of the work you need to do.
A huge part of GDPR is involved in changing the mindset of members of staff. If staff aren’t bought into what you’re doing, then all the good work and measures put in place across IT can be undone. For example, if staff leave important documents in their car or on a train, or click on a phishing link in an email.
It’s important to get buy-in from senior people across your business. They may have a historic approach to running their business and handling data, and find it difficult to transition to a post-GDPR world where candidates have to express consent to their data being stored and to being contacted. Many recruitment businesses have grown on the understanding that they need to build up the biggest pool of candidates and candidate information as possible. Now, the focus is on data quality, the accuracy of information and the security of that data.
How does Nasstar support recruitment firms in their GDPR readiness?
Nasstar offers upfront consultancy to assess where you are on your GDPR compliance journey, looking at business processes, IT, user engagement, training and policies, and overlaying this with what GDPR expects of a business. Then we offer recommendations in a traffic light system: what you must do, what you should do, and what you may be worth considering in the future.
But the key message here is that there is no end goal – there’s no certificate you receive at the end of the hard work that says ‘you’re now GDPR compliant’, like many other accreditations.
GDPR compliance is a long-term, ongoing activity. It can be made or undone every day as you collect and process customer information. GDPR compliance is about continually monitoring your activities, optimising your data and processes and ensuring staff are fully aware of their commitments.
Watch our on-demand GDPR webinar here.
HPE and Nasstar
Nasstar is one of the UK’s leading managed IT service providers. We deliver bespoke clouds, professional services, managed IT and a range of technical products to organisations operating within four strategic industry sectors - with a particular focus on the recruitment and legal sectors. Powered by HPE enterprise technology, across HPE servers, HPE 3PAR and more.