During the course of March 2019, Route1 conducted a data privacy compliance survey of 152 legal recruitment firms in the UK, using data Subject Access Requests (SARs) under Article 15 of the General Data Protection Regulation (GDPR). According to the Information Commissioner’s Office (ICO), recruitment remained the most complained sector receiving the most complaints for marketing abuses in the four months following the GDPR.
We wanted to establish whether, after widespread adoption of GDPR compliant applicant tracking systems (ATSs) and customer resource management (CRM) systems by legal recruiters, they were now complying with the data privacy obligations under GDPR.
Identification of recipients
Our list of 152 recruiters was based on the largest agencies in the UK that focused on the legal sector, two data resellers who scrape personal data from law firm websites in order to sell it to recruiters (Legal Monitor and Revael), and one publicly listed non-legal recruitment firm to see how it compared (SThree).
SAR request content
On 6 March 2019, the following email was sent using our CRM email system, and identifying the requestor using his SRA number.
Subject: SAR request from SRA Number: ******
Dear Sir or Madam,
Subject Access Request
I am writing to you in your capacity as Data Protection Officer (DPO) for your organisation. I am making this request for access to personal identifying information (PII) pursuant to Article 15 of the General Data Protection Regulation (GDPR).
If you are not the DPO for your organisation, then please pass this communication on to them immediately, as failure to respond to this communication has legal consequences.
I am concerned that your organisation may be in breach of the GDPR as it pertains to my consent to you holding my PII, putting my PII at undue risk of exposure and/or breaching your obligation to safeguard my PII.
I confirm my identity by use of my SRA number: ******
I anticipate a reply to my request within one month, as required under Article 12 of the GDPR, failing which I will be forwarding my inquiry with a letter of complaint to the Information Commissioner’s Office (ICO). The ICO is aware that you will be receiving this communication.
Please address the following:
Is my PII is being processed by you or any of your affiliates?
If so provide me with:
The categories of my PII you process;
What PII you process relating to me in your information systems, whether or not contained in your customer resource management (CRM) platforms, databases, e-mail servers, documents on your networks, or voice or other media that you store either on your electronic media or personal devices used by your employees;
Identify all third parties from whom you have obtained my PII as referred to in Article 14 of the GDPR;
Identify all third parties with whom you have shared my PII;
Advise how long you have stored my PII, and if retention is based upon the category of PII, please confirm how long each category is retained;
In regards to your employees and sub-contractors, please advise as to the following:
What technologies or business procedures do you have to ensure that individuals within your organisation will be monitored to ensure that they do not deliberately or inadvertently disclose PII outside your organisation or each sub-contractor through e-mail, web-mail or instant messaging, or otherwise; and
Have you had any circumstances in which employees or contractors have left your organisation and taken my PII with them, in the past twelve months.
I hereby request that you desist from contacting me forthwith by telephone, email or any other method and I expressly refute any assumption that to do so would support an attempt to create a “legitimate interest” basis for processing my PII under Article 6.1(f) of the GDPR.
Please be aware that if I receive any unsolicited communication from you or your affiliates following this communication, I will be notifying the ICO forthwith.
The following graphs show:
- Response vs no response rates within the 30-day period within which data processors and controllers must respond to a SAR under GDPR;
- Responders by those who required identity verification before releasing data vs those who released personal information with additional identity verification; and
- Of the recipients who responded requiring verification, the different types of identity verification requested
We have shared the data regarding identity verification methods with the ICO, as this information is of value as the market begins to adopt common standards in identity verification.
Response vs no response
As a threshold issue, 29 recruiters read the email and ignored it – 19% of the total. We can measure who has received and read our request using our CRM technology. 67 (or 44%) of the total requests were ignored in the 30-day compliance period.
Response by 68 (45% of the total) with no further verification vs. verification
In terms of the recruiters who did respond to the SAR, 80% (or 45% of the total recipients) provided a response with no further verification of identity than reliance on the SRA number included in the email request. We would expect that in line with ICO guidelines on SAR response verification responders should ask to see supporting materials to verify the identity of the requestor
Of the respondents requiring verification of the requestor’s identity 17 (11% of the total): verification type
In terms of the recruiters who did respond to the SAR and requested additional verification, we broke out the types of additional verification requested. Eight (or approximately half of those requesting additional verification) required photo identification before proceeding with their response. Others required either email confirmation from the SRA identified address, a letter of authority or a form (and in one case, confusingly, a utility bill!).
One year after the adoption of the GDPR into law, broad swathes of the legal recruitment industry continue to show indifference to data privacy compliance. This is highlighted by:
- Almost half the recipients failing to bother to respond to the request, which is a breach of GDPR. A further high proportion of those recipients did so after having opened the email, according to our systems, which suggests a decision was made to ignore the SAR.
- Ten recipients (or 7% of the total) provided email addresses in their privacy policies that bounced back.
- Of the 68 (or 45% of the total) that did respond, a high proportion requested more personal information be emailed to them in the form of a passport and driver’s licence.
- Only 81 (or 53% of the total) responded satisfactorily within the statutory time frame.
However, our data shows that law firms continue to source personal data from agencies in a sector that are, based on this research, broadly failing to take their legal obligations as processors or controllers of personal data seriously. It will only take one disgruntled data subject whose CV is sent to a law firm without their consent to cause significant reputational risk to a law firm, and according to this research, almost half the industry are failing to comply with the most basic of GDPR requirements – to respond to a data Subject Access Request.
While firms continue to source personal data from agencies in a sector that are, based on this research, failing to take their legal obligations as processors or personal data seriously, it will only take one public data breach to cause significant reputational risk to a law firm.
According to this research, an unacceptably large proportion of the legal recruitment industry maintain a very cavalier attitude to GDPR compliance. So why don’t you help us to reinforce data compliance in an industry that makes money from your data, and go to TapMyData to make a SAR against legal recruiters who you think may have your data. You will be surprised how much is out there – if they disclose it. And if they don’t, then report them to the ICO. We will be.