The General Data Protection Regulation (GDPR) is presenting new risks for employers and recruitment agents that they use to secure talent. All parties involved in the processing of personal data for recruitment purposes now have a duty to ensure appropriate privacy and security for such data. Following implementation of the GDPR, when a law firm receives personal data referencing a potential employee from a recruiter or data vendor, it is the employers’ responsibility to ensure that any personal identifiable information (PII) was obtained, and shared, legitimately.
Satisfying this new requirement is complex and resource-intensive, and in an effort to minimise costs it is not always fully implemented in practice. Indeed, few law firms have clear visibility on the cyber and privacy risks emanating from their recruitment relationships. After years of lax regulatory enforcement, it is often difficult to have a clear picture of where candidate recruitment data sits in their own databases, where it came from, and who is processing PII on their behalf. Many recruitment agencies receive personal data from 3rd party data vendors, including Legal Monitor and Revael, who scrape candidate data like names and email addresses from law firm websites without the data subjects (or the firms’) consent. The GDPR is likely to have the most immediate impact on this type of practice.
“Candidates should think of the rights they are given under the GDPR as a non-transferable copyright over any information that references themselves,” explains Benjamin Falk, the founder of YoDa, a new AI-powered personal data robo-lawyer. “Just like an author who writes a book is the exclusive owner of the copyrighted information in that book, you and I now own the personal information that we create just by going about our everyday lives. Just like an author can demand Amazon stop selling illicit or pirated copies of their work, candidates in the recruitment market can now demand that 3rd parties desist from using, sharing, analysing, or profiting from any of their PII on an unauthorised basis.”
For example, candidates can now exercise their “right of subject access,” just one of eight consumer rights enshrined in the GDPR. By executing a data subject access request (SAR) a candidate can compel any service provide to disclose which candidate personal data they are processing, and for what purposes. Route1 is developing a SAR platform with Yo-da, YoSAR, that will be launched in the next few weeks. This enables it to facilitate SARs against a wide range of recruiters for its users in order to find out how their data was obtained, what it comprises, and to whom it has been passed. In beta it uncovered a number of databases that appear to be providing personal details to recruitment agencies without the consent of the candidate. It is data vendors such as these that are likely to be the weakest link in an employer’s recruitment supply chain, and who present the greatest risks to their data protection obligations.
From a technical perspective, the “quick fix” solution for employers is to include in all vendor contracts warranties on the appropriateness of both their own and any subcontractors’ security and data protection practices, as well as a requirement to either notify or approve of any agency subcontractor before they can be used to recruit for the employer. Last May saw a rush to include these provisions in employer engagement terms for their recruitment agency providers as the GDPR came into force.
Although these provisions may successfully shift the legal liability for damages caused by a failure to securely process PII onto the recruitment agency and its subcontractors, in the event of a personal data breach, it will be the law firm or other employer that will bear the reputational risk. And when your clients expect high standards of confidentiality and data protection, a public data breach will be significant – and once a public allegation has been made it will be impossible to hide a relationship with a now-tainted vendor. When the potential damage is reputational, monetary remedies are likely to be unquantifiable and probably insufficient.
Furthermore any contractual claim against recruitment agencies is unlikely to offer much value, as they are almost certainly inadequately insured in the event of negligence or worse, an intentional breach. Moreover, data subjects – the candidates themselves – may also hold a prospective employer responsible for breaches suffered as a result of any non-consensual data sharing that driving legal recruitment. This would not only serve to compound the reputational damage of a reputable law firm, but also affect its ability to hire.
Finally, because actions by third and in some cases fourth party processors can have consequences which cannot be remedied simply by monetary damages from the agent, contractual warranties that place liability solely on the agency offer limited risk mitigation. Employers should therefore use additional technical and strategic solutions to help monitor the recruitment agencies they use and their subcontractors. This means firms need to ensure strict adherence to preferred supplier lists – no more partner led recruitment going forward – and use of clear, auditable due diligence processes for evaluating the information security and data protection practices of their agency partners.
Doing this cheaply and efficiently at scale is likely to require investment in automation technology using, for example, data protection technology providers such as Exonar. Exonar provides solutions that automatically find PII in disparate and fragmented internal databases, including but not limited to a firm’s talent CRM (or ATS/applicant tracking system). These HR platforms have not traditionally been the sole location for candidate PII. Instead, thanks to a range of informal sharing mechanisms and overlapping relationships, including where partners receive PII directly from recruiters with which they have a personal relationship, candidate data could be anywhere, from the desktop machines of paralegals to the mobile devices of partners.
According to Exonar’s CEO, Adrian Barrett, “2018 was the year that data privacy and protection became a top priority for organisations, 2019 will be the year that consumers take back control of their data”. Exonar has recently released the Exonar SARlution module that will enable organisations who need to comply with the GDPR to respond to data subject access requests in minutes rather than days, greatly reducing the time and cost of compliance.
With recruitment causing more consumer complaints than any other sector, according to the latest data from the Information Commissioner (ICO), the industry is now firmly in the regulators crosshairs. Employers who fail to ensure that candidate data is securely processed by the recruitment agencies they use, and their subcontractors, are open to clear and present reputational risks that are now too big to ignore. Organisations should work together with relevant stakeholders to help improve the data security health of the legal and other recruitment ecosystems as a whole. It is in all employers and candidates interest to fix this problem.
At Route1, we are leading the way forward in legal recruitment by putting candidate privacy at the heart of our technology. Our candidates ALWAYS control the application process, and their PII. And because Route1 is the only recruitment solution that secures candidates rights under the new strengthened data protection regime we help reinforce downstream GDPR compliance for law firms.
Conduct your search for talent with confidence, thanks to Route1.
The Route1 Team
Route1 is an award-winning marketplace for legal talent. For any questions, please contact James Cole for more information.