Legal Recruitment and Data Privacy – a study

12 June 2019

Legal Recruitment and Data Privacy - a study

During the course of March 2019, Route1 conducted a data privacy compliance survey of 152 legal recruitment firms in the UK, using data Subject Access Requests (SARs) under Article 15 of the General Data Protection Regulation (GDPR). According to the Information Commissioner’s Office (ICO), recruitment remained the most complained sector receiving the most complaints for marketing abuses in the four months following the GDPR.

Lateral recruitment

We wanted to establish whether, after widespread adoption of GDPR compliant applicant tracking systems (ATSs) and customer resource management (CRM) systems by legal recruiters, they were now complying with the data privacy obligations under GDPR.

Methodology

Identification of recipients

Our list of 152 recruiters was based on the largest agencies in the UK that focused on the legal sector, two data resellers who scrape personal data from law firm websites in order to sell it to recruiters (Legal Monitor and Revael), and one publicly listed non-legal recruitment firm to see how it compared (SThree).

SAR request content

On 6 March 2019, the following email was sent using our CRM email system, and identifying the requestor using his SRA number.

Subject: SAR request from SRA Number: ******

Dear Sir or Madam,

Subject Access Request

I am writing to you in your capacity as Data Protection Officer (DPO) for your organisation. I am making this request for access to personal identifying information (PII) pursuant to Article 15 of the General Data Protection Regulation (GDPR).

If you are not the DPO for your organisation, then please pass this communication on to them immediately, as failure to respond to this communication has legal consequences.

I am concerned that your organisation may be in breach of the GDPR as it pertains to my consent to you holding my PII, putting my PII at undue risk of exposure and/or breaching your obligation to safeguard my PII.

I confirm my identity by use of my SRA number: ******

I anticipate a reply to my request within one month, as required under Article 12 of the GDPR, failing which I will be forwarding my inquiry with a letter of complaint to the Information Commissioner’s Office (ICO). The ICO is aware that you will be receiving this communication.

Please address the following:

Is my PII is being processed by you or any of your affiliates?

If so provide me with:

The categories of my PII you process;

What PII you process relating to me in your information systems, whether or not contained in your customer resource management (CRM) platforms, databases, e-mail servers, documents on your networks, or voice or other media that you store either on your electronic media or personal devices used by your employees;
Identify all third parties from whom you have obtained my PII as referred to in Article 14 of the GDPR;
Identify all third parties with whom you have shared my PII;

Advise how long you have stored my PII, and if retention is based upon the category of PII, please confirm how long each category is retained;

In regards to your employees and sub-contractors, please advise as to the following:

What technologies or business procedures do you have to ensure that individuals within your organisation will be monitored to ensure that they do not deliberately or inadvertently disclose PII outside your organisation or each sub-contractor through e-mail, web-mail or instant messaging, or otherwise; and
Have you had any circumstances in which employees or contractors have left your organisation and taken my PII with them, in the past twelve months.

I hereby request that you desist from contacting me forthwith by telephone, email or any other method and I expressly refute any assumption that to do so would support an attempt to create a “legitimate interest” basis for processing my PII under Article 6.1(f) of the GDPR.

Please be aware that if I receive any unsolicited communication from you or your affiliates following this communication, I will be notifying the ICO forthwith.

Sincerely,

***

Email addresses

The email was sent to email addresses obtained from the privacy policies published by the recruiters on their website for the purpose. Where recipients had no privacy policy on their website, which is incidentally in breach of GDPR, we used their general contact email address. Our CRM system automatically obtains read receipts from email recipients, so we could measure who had opened the email. Ten emails were sent to the email addresses published in the privacy policy published by the recruitment firm – but they bounced back. This is also a breach of GDPR.

Results

The following graphs show:

  • Response vs no response rates within the 30-day period within which data processors and controllers must respond to a SAR under GDPR;
  • Responders by those who required identity verification before releasing data vs those who released personal information with additional identity verification; and
  • Of the recipients who responded requiring verification, the different types of identity verification requested

We have shared the data regarding identity verification methods with the ICO, as this information is of value as the market begins to adopt common standards in identity verification.

Response vs no response

Response vs. No response

As a threshold issue, 29 recruiters read the email and ignored it – 19% of the total. We can measure who has received and read our request using our CRM technology. 67 (or 44%) of the total requests were ignored in the 30-day compliance period.

Response by 68 (45% of the total) with no further verification vs. verification

Verification vs. No verification

In terms of the recruiters who did respond to the SAR, 80% (or 45% of the total recipients) provided a response with no further verification of identity than reliance on the SRA number included in the email request. We would expect that in line with ICO guidelines on SAR response verification responders should ask to see supporting materials to verify the identity of the requestor

Of the respondents requiring verification of the requestor’s identity 17 (11% of the total): verification type

Verification type

In terms of the recruiters who did respond to the SAR and requested additional verification, we broke out the types of additional verification requested. Eight (or approximately half of those requesting additional verification) required photo identification before proceeding with their response. Others required either email confirmation from the SRA identified address, a letter of authority or a form (and in one case, confusingly, a utility bill!).

Our conclusions

One year after the adoption of the GDPR into law, broad swathes of the legal recruitment industry continue to show indifference to data privacy compliance. This is highlighted by:

  • Almost half the recipients failing to bother to respond to the request, which is a breach of GDPR. A further high proportion of those recipients did so after having opened the email, according to our systems, which suggests a decision was made to ignore the SAR.
  • Ten recipients (or 7% of the total) provided email addresses in their privacy policies that bounced back.
  • Of the 68 (or 45% of the total) that did respond, a high proportion requested more personal information be emailed to them in the form of a passport and driver’s licence.
  • Only 81 (or 53% of the total) responded satisfactorily within the statutory time frame.

What next?

Route1 recently took part in an event sponsored by AllHires dealing with data privacy compliance in recruitment with fifteen law firm HR groups participating, and they were sadly unsurprised by the results. In fact many of them expected worse levels of compliance, having received unauthorised CVs from several leading recruitment firms. As a result, they now request a confirmation letter from a candidate before accepting a CV from a recruiter. The implication is clear – recruiters can’t be trusted with your data, and the HR teams trust them even less! This is because they stand to lose a more than a recruiter in the event of a data breach involving unauthorised personal data. The Marsh sponsored Legal Business Risk Management Survey 2019, published in April 2019, listed 25 risk issues ranked according to impact by managing partners and risk managers of a number of leading law firms. Data privacy breach came top – above regulatory fines and adverse publicity resulting from sexual harassment claims.

However, our data shows that law firms continue to source personal data from agencies in a sector that are, based on this research, broadly failing to take their legal obligations as processors or controllers of personal data seriously. It will only take one disgruntled data subject whose CV is sent to a law firm without their consent to cause significant reputational risk to a law firm, and according to this research, almost half the industry are failing to comply with the most basic of GDPR requirements – to respond to a data Subject Access Request.

While firms continue to source personal data from agencies in a sector that are, based on this research, failing to take their legal obligations as processors or personal data seriously, it will only take one public data breach to cause significant reputational risk to a law firm.

According to this research, an unacceptably large proportion of the legal recruitment industry maintain a very cavalier attitude to GDPR compliance. So why don’t you help us to reinforce data compliance in an industry that makes money from your data, and go to TapMyData to make a SAR against legal recruiters who you think may have your data. You will be surprised how much is out there – if they disclose it. And if they don’t, then report them to the ICO. We will be.

Route1 is an award winning marketplace for legal talent. For any questions, please contact our Engagement Team or visit our Contact Us page for more information.

About

We have big ambitions to permanently change the way people hire and get hired, both in the legal and other white collar sectors, using GDPR compliant, content-rich, value-added recruitment techniques. We place transparency, charity, and candidate control at the heart of our model.

Route1 was founded in the UK in 2015 and is headquartered in London. Our founders and investors include experienced lawyers, digital entrepreneurs, recruitment consultants and HR professionals.

Route1 is an award winning marketplace for legal talent. For any questions, please contact our Engagement Team or visit our Contact Us page for more information.

More Insights

What Does It Take to Be a Digital General Counsel?

Diversity & Inclusion and NewLaw

Legal Counsel interview tips

The Gig Economy: how to attract top flexible legal talent

Our Partners