If you’ve been discussing GDPR with pretty much anyone who works in recruitment recently, it’s likely the topic of deciding when to use consent and legitimate interest as your legal bases for collecting, storing and processing data will come up.
And whilst there’s no right or wrong option with this one, there are more appropriate bases to go for in different circumstances. Therefore, it’s a good idea to take some time to better understand what consent and legitimate interest actually look like in a recruitment context, so you can make more informed choices for your business.
So, first thing's first...
What are consent and legitimate interest?
Consent and legitimate interest are two of the six legal reasons that businesses are allowed to gather and process personal data under the GDPR (the other potential reasons being contract, legal obligation, vital interests and public task). The reason why consent and legitimate interest are the only legal bases that recruiters tend to talk about is these are the ones that most commonly apply to the sector (except perhaps your contractual rights to hold records of any candidates you place).
Deciding which legal basis to rely on in different areas of your business when gathering, storing and processing data as a business can be tough: One isn’t necessarily ‘better’ than the other, but it’s true that one is likely to be more appropriate than another when considering the different methods of processing a candidate's data. Therefore, it's a good idea to begin thinking carefully about your processes and which legal basis will be best suited.
Understanding consent in recruitment
Consent is the most straight forward of the two legal bases in the sense that it’s clear what you have to do to obtain it and it’s easy to demonstrate when you’ve been given consent to use someone’s data. But whilst it’s pretty clear cut what’s needed for consent, putting your strategy into practice in order to obtain it in the first place can be less straight forward.
Obtaining consent in a recruitment context means allowing the candidate to have complete control over whether they choose to share their personal data with you, what they share with you, and what you’re then allowed to do with the data that they share.
And when you think about it logically, there’s very little point in having a candidate’s details on record when they don’t want you to have it: What use is the data to you if you can’t do anything with it?
What consent looks like in recruitment
CONSENT AGREEMENT CLAUSE
WHAT THIS LOOKS LIKE IN RECRUITMENT
Why you’ll be storing their data
To help them find a new job
What you plan to use it for
To match them with a suitable role/ employer
If you’ll be sharing with third parties (and who they are)
Pledge that you’ll notify them before sharing their data with any employers (and who they are)
That they have the right to be removed at any time
That they have a right to be forgotten (removed entirely from the company database)
Consent is a good option to go for if you’re able to offer candidates genuine control over their data, and having a candidate portal on your website that’s connected to your database is one way of offer complete transparency with this. By having a system in place where every candidate who enters your system does so by creating their own personal portal, you’re putting the power back in their hands to control their own data.
With a candidate portal, you give candidates a platform through which they can choose what data they share, who they want to share it with (and who they don’t!), and are able to request to remove themselves from your database at any time.
What to watch out for with consent
There are also a few potential pitfalls to bear in mind when using consent as your legal basis for processing data in recruitment.
For a start, if you have to change your privacy terms to make them GDPR compliant, it’s inevitable that you’ll need to ask your existing candidates to re-consent under your new policy. Explicitly asking for consent is likely to make it harder to achieve, and asking existing candidates to re-consent under new terms could result in you losing contacts.
However, it wouldn’t make sense to just give up on using consent because it seems difficult – you just need to think about segmenting your candidate’s permissions and genuine desire for getting in touch with your company so that your legal reasons make sense.
Understanding legitimate interest in recruitment
The main premise with using legitimate interest as your legal basis for processing data is that you’re able to demonstrate that you’re using a candidate’s data in a way that a person would reasonably expect and where there is a valid justification for their data being processed.
Legitimate interest is certainly a more flexible option than consent, and you wouldn’t be the first to jump at the idea of not having to go through any re-consent process if you can avoid it. But the issue with legitimate interest is that it’s a lot less straight forward than consent, and as such could leave you a little more open and vulnerable to making errors.
What legitimate interest looks like in recruitment
In order to establish whether you can legally process a candidate’s data under legitimate interest, you first need to perform a balance test or ‘Legitimate Interest Assessment’.
There are three main questions to ask when performing a Legitimate Interest Assessment:
- What is the legitimate interest that you have to process the data?
- Can you show that processing the data is necessary in order to achieve what you need to do?
- Could processing the data affect the rights or freedoms of the person?
Put in this way, legitimate interest looks like a no-brainer for recruiters – we have a legitimate interest in processing a candidate’s data in order to help them find a job!
When relying on legitimate interest as your legal basis, you’ll need to have a privacy statement on your website that states the following:
- That you’re relying on legitimate interest as your legal basis
- What the legitimate interest is (i.e. to help them find a job).
Once you've updated your privacy statement, you'll need to send this out to everyone on your database to notify them of your new policy and include a clear unsubscribe option.
What to watch out for with legitimate interest
As you might expect, there are still some questions regarding how you would use legitimate interest in recruitment that remain unanswered. For example, what happens if a candidate is unsuccessful in the role that they applied for, which was the sole reason you were relying on legitimate interest to process their data (if the placement isn’t made, you technically have no legal right to continue holding that data)?
The ICO states that legitimate interest “can be relied on only to the extent that the processing is necessary for the purpose of the company’s legitimate interest” and nothing more. Does this mean an agency can only store or process a candidate’s data for a particular role they’ve applied for if that is the only reason the data was originally obtained? Or would it be reasonable to say that your legitimate interest is in guiding the candidate throughout their entire career? More than half of all UK employees will change jobs every three years, after all!
And how does legitimate interest work when you’re reaching out to new candidates? Can you reasonably claim to have a legitimate interest to contact someone who’s not already on your database as you’re “going to help them find a new job” when there’s no existing relationship, and you can’t even be sure this person even wants to find a new job? Having a legitimate interest doesn’t automatically entitle you to use a candidate’s personal data.
So whilst legitimate interest could be a good route for recruiters to go down, it’s important that it’s not just used “on the basis that it is less constraining than the other grounds” (Article 29 Working Party). It’s not a get-out-of-jail-free card!
Segmenting the candidate experience
In practice, the first thing you’ll probably want to think about when considering your legal bases is what the candidate journey looks like at your company. You can then segment the journey into its various different processes and think about which of the legal bases suit these processes best.
Our CEO Wendy made a nice suggestion regarding how segmented processes could look on recruitment websites under GDPR that I thought could be useful to share. She proposed a declaration on your website stating something along the lines of “We have reviewed the purposes of our processing activities and selected the most appropriate lawful basis (or bases) for each activity.”
This segmentation of activities could look something like the following:
- Processing an application for a job - legitimate interest
- Searching to fulfil the needs of the candidate for a wider role or employer - consent
- Placing a candidate – legal.
Whichever options you choose, remember that your lawful basis for processing personal data and the reason why you’re processing should be made clear on both your job application workflow and in your candidate registration journey.
If you’re feeling overwhelmed – don’t worry! It’s inevitable that discussions on this topic are likely to raise more questions than they will answer them at this stage, but things should become a lot clearer in due time.
And remember that at the heart of both consent and legitimate interest where recruitment is concerned is the idea of fairness and transparency for the candidate, and this can only mean good things for the future of the industry, and for your business.