Speaking with candidates is one of the key parts of any recruiter’s day. And there are an ever increasing number of channels available for us: from text messages and WhatsApp, to LinkedIn and (for some) Facebook.
However, following the implementation of the GDPR last year, recruiters need to be aware of the pitfalls they face when they contact and engage with candidates – especially over WhatsApp, LinkedIn and Facebook. It’s very easy to cross the line drawn by the GDPR and the problem spans both data security and regulatory compliance; breaching either could lead to big fines.
If you are speaking to candidate “off grid” then this needs to be logged, recorded and monitored. This can be a very hard thing to do in practice.
A quick example:
- You contact a candidate on LinkedIn
- They want to arrange to speak. Great!
- You then get their phone number
- You text the candidate to arrange to talk and, during the call, they give you their email address
- You then send them the job description and they return their CV
Right away, you have a lot of their personal information on different platforms: your phone, email and LinkedIn. This data might include a candidate’s phone number, email address, home address, date of birth, nationality, salary, and so on.
Yes, you may have added all of this to your ATS (which hopefully is GDPR-compliant) but what do you do with the personal information on your phone and LinkedIn after this point? When does it get removed? How do you remember it’s there? What happens if you move companies?
Ideally, of course, the consultant would be using a work phone for text messages, WhatsApp conversations, and phone calls (using personal phones is a whole different exercise in compliance…). But what policies do you have in place for an employee’s LinkedIn? It’s your responsibility to know what information you hold, when it was received, how it is stored, who has access to it, what the retention policy is, how it is processed, etc etc. Even just having a name and number in a phonebook needs to be known.
It can turn into a huge headache – maybe not immediately (there are plenty of companies who just put their head in the sand!), but if you receive a Subject Access Request, how do you map the information and be sure you have it all? How do you comply with your data protection policy? What happens if that mobile phone is lost? Or the LinkedIn profile is hacked?
It’s much easier to lay the foundations for compliance and have proper procedures from the start, than to play catch up at a later date and risk an investigation with the potential for huge fines.
GDPR – it’s not over. It’s here to stay.
Is your recruiter compliant? Maybe you should ask…
The Route1 Team