He’s making a list, he’s checking it twice… Who’s list are you on?
This Christmas, make some Subject Access Requests to the recruitment community and get a stocking full of data!
Introduction – the GDPR six months on…
The GDPR was six months old on 25 November 2018. After a flurry of opt-in requests went through our inboxes in and around May, the dust settled and we all went on holiday and came back to life as normal in the summer. But wait a minute… have you wondered why you are still being cold called by recruiters? Our users tell us this is still as much of a problem as it was before 25 May. And this is borne out by statistics from the Information Commissioner’s Office (ICO), the regulator under the GDPR. In October, there were 6980 complaints to the ICO for spam marketing by email or phone and, from the last available data, recruitment was the biggest source of complaints under GDPR for unsolicited email.
How legal recruiters construct “legitimate interest”
Why are so many complaints occurring? In short, there is a huge disconnect between how recruiters and candidates see GDPR and data privacy compliance. From a recruiters perspective, under the GDPR, “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” As long as a recruiter can substantiate a “legitimate interest” argument to process your data, they will do so. That is not to say that all recruiters are acting poorly, but certainly quite a few are if the industry remains the top source of complaints to the ICO.
In terms of “legitimate interest”, let’s look at the ICO’s methodology for assessing whether or not a legitimate interest exists for processing a potential candidate’s data, and cold calling them. Three elements – or tests – must be met here: being a “purpose test”, “necessity test”, and a “balancing test”. These need to be documented by a recruiter so they can satisfy the GDPR’s accountability principle.
Under the purpose test, marketing activity needs to be ethical, and meet the Privacy and Electronic Communication Regulation (more commonly known as PECR) requirements for electronic communications, as well as other legal and industry standard requirements. In itself, purpose is not sufficient to provide assurance that the direct marketing activity can be carried out. To determine whether the processing is necessary to achieve a legitimate interest, a recruiter must consider whether there are other less invasive means to meet its identified purpose and serve the legitimate interest of the business. The recruiter must be satisfied that its use of personal data is a targeted and proportionate way of achieving the purpose – it does not have to be essential – and that the privacy impact is minimal. Route1 thinks it is hard to sustain that cold calling a candidate at their place of work has minimal impact.
The final and key element in establishing legitimate interest is the balancing test. This means analysing whether the recruiter’s legitimate interest is “overridden by the individual’s interests, rights or freedoms”. Under this test, recruiters need to determine whether people would reasonably expect the personal information being processed to be used in the manner the recruiter intends to use it, with greater consideration needed to be taken of how much of a nuisance factor the communication might be and the effect of the chosen communication channel on the individual.
Contingent recruiting – welcome to trawling
Recruiters rely on the claim that they have a legitimate interest basis for personal data processing (and marketing activities) by arguing the way that they use a candidate’s personal data is proportionate, has a minimal privacy impact, and candidates would not be surprised or have little objection to what they are doing when using it. Recruiters maintain that candidates would like to know about potential roles and that this supports their legitimate business interest analysis.
There is a distinction in legal recruiting that needs explaining here before we analyse the basis of their alleged “legitimate interest”: 5-10% of the legal recruitment market categorise themselves as “search” recruiters, and who are relatively expensive, highly targeted and bespoke; and 90-95% of the market categorise themselves as “contingent” recruiters: cheaper, process driven, and relative to search, less skilled: more of a numbers game. LinkedIn and direct hiring by employers have significantly reduced recruitment search mandates: after all, if employers can use LinkedIn to source talent themselves, why pay a 25% fee to have a third party search agent do the same thing?
Contingent legal recruiters, who constitute the vast majority of the market are disliked by many candidates because of the inherently speculative nature of their business model. Contingent recruiting which works like this:
(1) Contingent recruiters obtain, anonymise and remarket roles that are publicly available through job boards, emailing and cold calling potential candidates, often giving the appearance that they somehow have a relationship, or mandate, with the employer for that role. The vast majority of legal roles are publicly available because legal employers put them on their websites and LinkedIn in order to seek to hire legal talent directly. As a result, bona fide roles multiply into a match greater number of anonymised recruiter roles. This process can be checked empirically: based on Route1 data analysis, we know that roughly 150-200 legal jobs are released to the contingent market in this manner each day, but if you search for legal jobs on aggregation sites such as Indeed or Adzuna, or industry job boards such as The Lawyer Jobs or Legal Week Jobs, these can morph into 3,000+ roles, simply because multiple anonymised adverts have been created by contingent recruiters – for the same job.
(2) Once a contingent recruiter has contacted a candidate, they often misrepresent that they are mandated to represent the anonymised “client” (a.k.a “leading regional/City/US firm”) in a “search” mandate. The distinction can be blurred in a candidate’s mind because recruitment firms are keen to point out in their marketing that they can do both functions. The “search” claim can be a compelling one, but don’t be fooled by a recruiter (and yes, your ego) into believing that they are conducting a bona fide search. For the reasons explained above, these are very rare because very few clients are willing to pay for a “search” mandate unless a role is proving very hard to fill, it is senior or strategic in nature, or is highly unusual.
(3) The contingent recruiter generally refuses to release the name of their “client” until the potential candidate agrees to be represented by them. Once this agreement is made, and this can be expressed or implied through simply “having a coffee”, the recruiter then contacts other firms with the candidate’s data. The candidate is now in play, having been “trawled”, and according to the contingent recruiter’s terms with various employers, he or she is now “owned” by the recruiter for up to twelve months. And in recruitment parlance, the candidate has been transformed from a “passive” to an “active” candidate.
(4) The contingent recruiter then runs a numbers game as he or she seeks to make a fee from the now “active” candidate – which statistically will be highly unlikely to be with the firm that initially created the role on its website, let alone the firm that candidate thought it was applying to, and that made he or she “active” in the first place!
Trawling is becoming more prevalent now employers have moved away from search mandates. Simply put, if you can’t “own” the jobs as a recruiter, you must “own” the candidates. Employers not surprisingly take a dim view of having their job advertisement anonymised and used in this way. The post-GDPR compliance implications of trawling for contingent recruiters, however, are far more serious. GDPR and the “legitimate interest” basis for processing personal data now sits at the centre of their business model, with data compliance a critical component. The practice of trawling, when set against the ethical requirements of the purpose test above, is hardly a basis for “legitimate interest” – the basis on which the contingent recruiter is conducting its data processing. Neither is it how “people would reasonably expect the information to be used in the way they intend to use it” under the balancing test. As data privacy concerns post GDPR become more widespread, we think that only recruitment efforts that name the employer firm on solicitation will be deemed legitimate unless there is a substantiated reason for confidentiality that is explained to the candidate on solicitation.
What has changed under GDPR
Route1 was designed to put the candidate in control of the recruitment process, giving them all the relevant data on a role – including the identity of the employer – and the team they are joining before they apply. We believe this empowers candidates to make their optimal choices, not those of an agent based on anonymised information. In being GDPR “compliant by design” we were built to have a candidate’s interests in mind.
We know from our research that many contingent – and search – recruitment firms have failed to purge their candidate databases before or after GDPR came into effect, and are still processing personal data in breach of GDPR from either how they obtain, process or disseminate personal data. So how can the status quo change? Well, the GDPR empowers that change: candidates now have the right to request disclosure of what personal data is held in relation to them, where it was obtained, and to whom it has been disclosed. It also enables direct marketing to be stopped, in each case by simply contacting them with a Subject Access Request or SAR.
A SAR enables you to request a copy of the personal data a recruiter holds on you, request that it is deleted from their database, notify them that they do not have consent to be contacted in the future and more interestingly trace where the data has come from. Many recruiters buy information about you from third-parties, so you should ask in your SAR how they obtained your data. For those of you who have already received SAR replies, it has been sobering to see how data is harvested and sold by recruitment firms and personal data resellers who scrape your data from law firm websites and sell it to recruiters. Finally, you should include a request to disclose where a recruiter has sent your personal data. Once you have received a response, you are then free to seek deletion by not only the recruiter but the person who has sold their data to them and any employer to whom your details have been sent without your consent.
38% of our users who responded to a Route1 candidate survey in the lead up to GDPR implementation said they would exercise their rights and make a SAR. As more GDPR data breaches are revealed using SARs, the number of our users and other lawyers seeking to determine what has happened with their personal data in the legal recruitment market, without their consent, will increase.
Stand up for your [data] rights!
Six months after GDPR came into effect, according to the ICO’s data, recruitment is still the most complained about sector when it comes to cold calling and data breach. The basis of contingent recruiter direct marketing when based on “legitimate interest” is, in our view, on very shaky ground. There are now companies entering the market that will enable you to make multiple SARs against all recruitment companies with ease. And whilst similar requests used to cost money under the old Data Protection Act, under the GDPR they are free. For example, you will soon be able to use Yo-Da (short for “your data”) to find out which of your personal data any third-party holds, ask for it to be disclosed and, if necessary, deleted. When used to make requests of recruiters, this process will also enable you to object to the assumption they have made that there is a “legitimate interest” or consent basis for them to contact you. And making a SAR to recruiters that you trust ensures that your personal information held by those recruiters is correct and up to date.
So, like Santa, make a list using Subject Access Requests. If a recruiter has been good to you, use it to help them update your personal information. If they’ve been bad, for example, you’re unhappy with how they’ve obtained your data, where they have sent it, or how they are holding or processing it, in each case without your consent, then request that they delete, and procure that the provider and recipient of your personal data also delete it. If they are too slow in responding to your SAR, they will be reported to the ICO. Your gift to yourself will be stopping cold calls for the New Year, only working with recruiters you know and trust, and helping to improve data compliance within the legal recruitment process.
The Route1 Team