By now, you’ve likely read Part 1 of GDPR is Coming; Is Your Recruitment Marketing Team Ready? If not, catch up and read it now.
In the first post I reviewed the basics of GDPR, its implications to Recruiting Marketing teams and the looming deadline -- May 25, 2018!
Breathe! It’s going to be ok. Read on for easy to understand actionable steps.
Oh, This is Important! What Should I do Now?
Hopefully you now understand the importance of GDPR and the weight of non-compliance, but there’s some good news. As I mentioned previously, GDPR builds on previous generations of EU data privacy law. So chances are you have some of the foundational controls and constructs already in place.
Where you likely will need some review/adjustment is in how you’re targeting candidates, obtaining consent, disclosing data handling activities, and providing methods for candidates to delete their data.
Your data collection processes will most likely have to change a bit. Most talent acquisition teams have some form of targeted marketing campaigns - whether they be general brand marketing initiatives or specific job marketing emails. Your techniques will need to be reviewed to ensure you’re not simply casting wide net attempts at email marketing, but instead are executing more targeted marketing to specific candidate personas based on relevant traits or data. These will make your activities defensible against the lawful basis of Legitimate Interest.
Legitimate Interest is a key concept for marketing teams (or recruitment marketing in this case) as it sets the criteria by which a company can legally target and market to an individual with the intention of collecting and processing personal data. It builds the basis for you to reach out to an EU citizen and request consent for further processing. An example of this would be, sending a new sourced candidate a marketing email asking them to join your Talent Pool, whereby they provide consent to your GDPR compliant disclosure statement in the process.Article 6 provision 1 (f) which states:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.Under GDPR, unless you have a lawful basis you are not permitted to collect or process personal information at all. In the recruitment space this means you need either Legitimate Interest or Direct Consent. But even sending an opt-in email requires processing, therefore you need a lawful basis such as Legitimate Interest to contact a candidate.
Many aspects such as the above have implications to your marketing processes, so where do you start?Actionable Next Steps:
- Assume You’re in Scope - If you work for a global company, handle recruiting of EU citizens, or even have EU localized content as part of your recruitment marketing strategy you likely face some level of GDPR oversight.
- Undergo a Self-Assessment - Read the regulations. Overlay your recruitment and talent acquisition processes against the GDPR regulations. Look at your candidate data. Look at targeted countries. Educate your teams. Look at sites and content. Do this before you pay a third party to come perform a formal assessment/services engagement. If you have a Data Protection Office or Individual, reach out to them for guidance.
- Review Disclosure and Consent Mechanisms - This is where you’ll likely have work to do. Adjust marketing to include explicit consumer consent. Consent must be “freely given, specific, informed, and unambiguous”. No assumed or implied consent. Separate activities should each include explicit consent, not one consent for all. Be clear what you will use candidate’s data for and whether you will share with any 3rd parties.
- Review Candidate Touchpoints - Consider all your touchpoints for candidate engagement and how you are disclosing intent to market/engage/use their data. This includes:
- Media Engagement
- Text campaigns
- Advertised landing pages
- Email campaigns
- Social campaigns
- Media Engagement
- Talent Pools
- Lead capture pages
- Event landing pages
- Career Websites
- Special event capture technology (text, mobile apps, etc)
- Apply Processes
- ATS Apply Pages
- Apply Kiosks
- Paper Applications
- Data Scrubbing - GDPR introduces provisions related to data relevance in conjunction with it’s “Right to be Forgotten” principle. This requires us to do a better job of relevant targeting of candidates and data subjects. Some data scrubbing and clean up may be necessary to ensure activities like candidate engagement emails are relevant for the target candidate. To reduce risk for complaints, ensure targeting and candidate databases are current, and campaigns are accurately targeted. Consider initiatives to re-engage with your talent pool ahead of GDPR to nurture the relationship giving candidates opportunities to opt-in to new and future content (and GDPR compliant consent statements in the process).
- Vet Your 3rd Parties & Vendors for GDPR Compliance - Under GDPR, you’re not only liable for your direct data processing and handling, but also that of your 3rd party service providers and vendors. Make sure they are treating end user data with the same care and compliance that you are.
- Data Protection - The techy IT team stuff. Encrypt the data, restrict access, protect your machines and data centers, etc. If you already have PCI, ISO 27001, NIST, etc., controls in place you are likely in compliance but verify.
- Professional Assessment - As you can imagine, GDPR regulations are at times general and filled with legalese. I recommend you start with an internal assessment and get your ducks in a row as best you can to knock out all the foundational items and obvious changes that need to be made. After that, however, it’s always advantageous to call in the experts for a final review/assessment. Individuals exist who focus solely on European data privacy law, and for good reason. GDPR penalties are so significant, you’ll likely want to go with experience on this one. Call in the experts to check your work for added piece of mind as a final step.
Do not fret! GDPR can be overwhelming upon first glance, but once broken down you will see that it’s based upon rather straightforward key concepts of disclosure, consent, transparency, secure handling, and end user choice.Alignment with these regulations builds trust with your candidates, enables transparency into your intentions in the processing of their data, and helps them to build a stronger relationship with your brand.