Managing Data Compliance when Working with an RPO provider — Talent Works International
In the world of tech recruitment, as we all rely more on technology to manage applications and support the recruitment process, there are large amounts of personal data to contend with. With a rise in digital attraction and the vast majority of job applications now occurring online, recruitment is becoming a data hot spot. As people apply for your open vacancies, you’ll find you have more of their personal information, including contact details and work history. To avoid a GDPR compliance breach, you need to ensure that this data is handled correctly and securely. You must do your best to protect it. Your candidates need to know their information is in safe hands. If it gets out, it could be incredibly damaging to your employer brand, especially in tech recruitment when data handling is a critical element of the day to day running of the business.
As an employer, you need to be trustworthy. This begins as soon as an applicant submits their details with you. Failure to comply with GDPR can mean significant fines, which are a risk for any business. However, it can also mean you lose trust from candidates and customers. Your candidates need to know their personal data is in safe hands, and if it gets out, it could be incredibly damaging to your employer brand. After all, who would want to work for you if you can’t even protect their personal information? Therefore, you need to ensure that you’re up to speed on your compliance and protection when hiring talent.
However, outsourcing the recruitment process is becoming more popular. Handing over the hiring of new talent to a contingent agency or RPO provider is a valuable way for scaling businesses to manage the challenges of hiring new teams while also trying to perfect their product, gain funding and grow the business. RPO providers manage the sourcing of candidates both directly and using digital attraction. They also screen candidates and help to find the most suitable for the industry and job at hand. But what does this mean for data?
We’re asking what happens when you enlist the help of an RPO agency? Who becomes responsible for ensuring data protection compliance?
If someone else is involved in managing data, it complicates matters. Outsourcing recruitment means that two parties have access to the personal information of candidates. Many companies believe that handing over the recruitment process, even if it’s just some aspects, means that they also hand over any responsibilities regarding data. However, the fact remains that you cannot outsource all your responsibilities to a vendor. If a breach happens in your name, you are responsible.
So what is the relationship between data compliance and RPO?
When outsourcing your recruitment, you become the data controller or owner. The RPO provider becomes the data processor, processing on behalf of you, the client. This means that all data is stored with the client, whether in their ATS (which the RPO provider has access to) or another database. Therefore, everything should be held with the client.
Individual responsibilities and roles should be scoped out at the beginning of the project. Data teams from all parties can sign off the procedure and be confident that the handling of candidate data complies with data protection regulations. Both the RPO provider and the client’s in-house teams should know data protection rules and ensure they do all they can to stick to them. This knowledge also helps someone flag any possible issues as they occur.
As part of the onboarding process, an RPO provider should conduct a full scope of the client’s data storage, hosting and GDPR compliance to ensure they can work with it and all regulations are met. The two parties should collaborate and work together, but ultimately everything should be held with the client, as this is who candidates are actually applying to.
You need to map out where data is held and be very clear, allowing for a range of different scenarios. Creating a RACI matrix will enable you to establish responsibility, accountability and how to keep informed.
An RPO provider will appoint a data protection officer to help ensure compliance but also to manage and log any breaches if they should happen.
Data Compliance in Digital Attraction
When an RPO provider is running digital attraction campaigns for a client, it can cause complications. For example, social media platforms and paid media don’t always integrate with an ATS easily. And the candidates agree for the client, who runs the social media accounts, to access their data rather than the RPO provider, which complicates things further.
In this instance, Facebook and LinkedIn store the data within their platforms, and only page admins have access to the information. If we manage campaigns on behalf of clients, we ensure that we implement two-factor authentications for these accounts to ensure only the correct people have access to the data. Again, this can cause issues if specific people within either business are off, but it’s always better to be safe than sorry with data protection. We then make sure that the data is not stored on our systems but in the client’s ATS or other databases.
We also ensure that ultimately the data is held with the client. Therefore, if we run email nurture campaigns on behalf of a client, they’re responsible for providing the data. As a data handler or processer, an RPO agency can access data without storing it on the system. Therefore when it comes to digital attraction campaigns, we need to be even more careful that we’re hitting the mark and complying.
Originally published at https://www.talent-works.com on July 12, 2021.