Hiring and Recruiting in a Post-GDPR Era


Now that the EU General Data Protection Regulation (GDPR) is in effect (as of May 25, 2018) the time to be proactive has passed. Companies must now focus on compliance with the regulation, particularly in HR and recruiting, which rely heavily on candidate data.

GDPR Recruiting & Hiring Recap

To recap, the GDPR was designed as a replacement for the Data Protection Directive 95/46/EC with the purpose of reconciling country-specific and sometimes conflicting European data privacy laws. Most importantly, it aims at changing the way organizations operating in the EU, or those collecting personal data from EU residents, approach data privacy. It also provides a harmonization of the data protection regulations throughout the EU, in theory making it easier for American companies to comply. However, the new regulations mean it is now unlawful to use an EU resident’s data without his or her explicit consent.

It’s important to note that the GDPR isn’t just about companies who hire in the EU. It’s also about employers who are employing EU residents wherever they may live. The GDPR applies worldwide as to any company that offers goods or services (even if they are free) within the EU or collects, processes, or maintains (anywhere) personal data about European residents. Recruiters are going to need to restructure candidate engagement, sourcing and recruiting programs that focus on candidate data, recruiting and HR technology, and refocus on building compliant candidate and employee relationships.

How GDPR Impacts You and Your Recruitment Vendors and Technologies

From the application process to background screening, companies recruiting or employing EU residents must adhere to strict regulations with regards to data. Under GDPR, you are required to ask for explicit consent, clarify how you will use individual candidate’s data, and make sure that the data remains secure. This involves more than simply adding a clarification and a checkbox to data collection forms. Your vendors – such as your ATS, payroll, and recruiting software, must also be GDPR compliant.

GDPR introduces direct obligations for data processors for the first time. Processors will also now be subject to penalties and civil claims by data subjects. This means that, if you haven’t already, it’s imperative that HR and recruiting leaders speak with and understand if their vendors and partners are taking steps to be compliant with GDPR.

Below is a short list of questions that you should ask your vendors and partners in relation to GDPR compliance. It’s imperative that your HR technology vendor is compliant with the new regulations, as well as liability for violations and noncompliance.

  • Have their contract terms changed with GDPR?
  • What level of consent do you seek when applicants submit their data?
  • Process for storing, collecting, & deleting data
  • Timeline for auto deletion – circumstances & data type
  • What is documented timeline for keeping data?
  • What processes exist to keep data up to date?
  • Have they appointed a data protection officer?

Do You Need a Data Protection Officer?

In relation to the last question above, Section 4 of GDPR outlines the requirement for applicable entities to appoint a data protection officer (DPO). According to Article 37(1), data controllers and processors shall designate a DPO where:

  1. The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  2. The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  3. The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

Most firms required to appoint a DPO would fall under sub paragraphs (b) and (c). Article 39 outlines five minimum tasks that the DPO must perform:

  1. Inform and advise firms and employees who carry out data processing on applicable data protection provisions
  2. Monitor compliance with the GDPR, other data protection provisions, and additional internal data protection policies; this includes training and auditing
  3. Advise on data protection impact assessment (DPIA)
  4. Cooperate with the supervisory authority
  5. Serve as main contact for the supervisory authority

A word of caution: In many cases the business can be both data controller and data processor. However, because the GDPR makes the distinction, we’d like to consider the shared responsibility of both parties.

Companies that determine the means of processing personal data are controllers, regardless of whether they directly collect the data from data subjects. For example, a recruiter (controller) collects the data of its clients when they apply for a job, but your recruiting technology (processor) stores, digitizes, and catalogs all the information. These companies can be ATSs or full-suite recruiting software companies. Both organizations (controller and processor) are responsible for handling the personal data of these customers.

Recruiting Strategy Changes Post-GDPR

Because short-term recruiting programs, or what we refer to as “reactive recruiting,” will come at a price due to the GDPR, HR teams must focus on building candidate relationships and providing value for the long term. The value of building relationships, sharing information, and providing resources will be more important than ever in order to engage and recruit candidates.

Related: GDPR Compliance in the Background Screening Process

If you’ve already begun adapting your recruiting model to GDPR compliance, you’re probably ahead of other companies when it comes to compliance and hiring. The consulting firm Gartner estimates that more than half of the companies that are subject to the GDPR will not be in compliance throughout this year. They will be at risk.

If you’re in the half that is not yet compliant with the GDPR, consider it an opportunity to revamp your current practices and candidate outreach.

HR is already tasked with a lot of compliance responsibilities, many of which are not of its own making. It can be process-driven and this might be a great time to consider splitting the department into two areas: compliance (the processes) and HR (the human side), or clearly defining when to use technology, and when to put people back into the mix. With the right balance, HR teams can be more productive, more engaged, and use the human element to attract and retain top talent.

And yes, the GDPR is primarily about data. But it’s also timely to note that at the heart of appealing to candidates is that humans don’t want to BE data; but they do want more control over how their data is used. A phone call or personalized response can mean the difference between considering a role at your company or moving on for a candidate.

The solution to adapting your recruiting and hiring processes isn’t more technology; it’s better technology that has data compliance and support in mind. When it comes to GDPR in recruiting and hiring, your tech should not only comply with new regulations, but also support the broader mission of the recruiting and hiring side of your organization. This gives you the peace of mind on the compliance side allowing you to focus on improving your hiring processes and candidate quality.

When it comes to pre-employment and post-employment background screening, Cisive GDPR compliant.  If you are an existing Cisive client and have questions concerning GDPR compliance in your background screening program, please contact your Cisive Customer Service Representative.  For those of you who have not yet experienced the benefits of Cisive and are interested in learning more, please call us at 1.866.557.5984.

Rob Jones
VP and General Manager
Global Executive Intelligence Division


The Impact of the Extended Senior Managers Regime on Screening Requirements

Senior Manager's RegimeThe Senior Managers Regime (SMR) is part of the UK financial regulation introduced by the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) and is aimed at increasing personal accountability of senior level people in the financial services industry. The SMR was initially implemented in the banking sector after the 2008 financial crisis, considered the worst economic crisis since the Great Depression. The SMR’s purpose is to reduce consumer risk and strengthen market integrity by holding financial services managers in senior positions accountable for their conduct and competence. The SMR covers both domestic and international firms with UK operations.

The FCA’s expanded scope of SMR requirements will go into effect May 2018, and extends beyond the banking industry to include insurers and solo-regulated firms. Some facets of the current banking regime will also be affected. This will significantly increase the number of firms required to comply and bring an end to the current Approved Persons Regime (APA).

Individuals working in a ‘Senior Management Function’, as defined by the FCA, must be approved by the FCA before taking on the responsibilities of the role. In addition, firms will need to ensure the suitability of the Senior Manager by completing a ‘fit and proper’ assessment.

As a result, firms need to certify at least annually that senior managers are suitable to perform their job functions. It is proposed that firms should perform criminal record checks for each Senior Manager and obtain a ‘regulatory reference’ from the Senior Manager’s previous firm.

At Cisive, we are experts in the specific risks and regulations that apply to regulated industries. For many years, we have provided tailored solutions to meet the unique requirements of our financial services clients.

In 2017 we opened an international operations centre in London, England to manage our global screening business. We recognize the specific challenges that our clients with a UK presence face, from managing Brexit contingency planning, to implementing General Data Protection Regulation (GDPR) compliant procedures, dealing with MiFID 2, in addition to preparing for SMR changes.

At Cisive we are prepared for the extended SMR and GDPR regulations and will contractually support you as a data controller in the background screening process. As a data controller, we will stand alongside our clients and assume responsibility for implementing and managing employee screening procedures in compliance with GDPR.

Cisive has rolled out a suite of SMR specific screening solutions to help ensure efficient and effective application of the new regulations. Our Senior Manager Regime solution includes:

  • Digital, touch-free inbound and outbound Disclosure and Barring Service checks for basic and standard disclosures
  • Continuous criminal monitoring service
  • FCA ‘fitness and propriety’ package
  • Regulatory reference regime compliant service
  • Education and employment checks performed by our UK-based team
  • Full GDPR compliance and indemnification

If you are a financial services institution providing financial services in the UK, any and all employees considered senior decision makers fall under the scope of the new regulation.

With more than 40 years of experience, Cisive offers the most efficient and effective solution for the financial services industry.

For more details or to further discuss how Cisive can help your organization meet the extended requirements of the GDPR and Senior Manager Regime, please contact us at +1 866-557-5984 or email info@cisive.com.



Rob Jones
VP and General Manager
Global Executive Intelligence Division

GDPR Compliance in the Background Screening Process

The General Data Protection Regulation (GDPR) will become enforceable on May 25, 2018.  Will your pre and post-employment background screening processes be GDPR compliant?

Join Cisive for a live webinar, “GDPR Compliance in the Background Screening Process” on Thursday, March 15 @ 1:00 pm EST.

Rob Jones, General Manager, Global Operations in London, will discuss the different areas of recruiting and hiring that GDPR impacts including background screening, candidate experience and sourcing.  He will also touch on compliance requirements for the extended Senior Manager’s Regime (SMR).

Both of these regulations will place additional burdens on employers and significantly increase the importance of compliance.

Don’t miss the exclusive event on GDPR compliance! Cisive can help you efficiently and effectively apply the new regulations.

Register today!

Robert Jones, VP and General Manager, Global Operations
Rob Jones joined Cisive in 2017 and leads their global operations and executive intelligence division from their London office. Prior to joining Cisive, Rob held a leadership position with a specialist global risk management consultancy. In this role, he developed and implemented risk assessment, due diligence, and compliance programs for Fortune 100 corporations operating internationally.

Rob Jones
VP and General Manager
Global Executive Intelligence Division

Update on Medical Services Background Checks in New Mexico





bj_NewMexico-pptOn March 8th, New Mexico Governor Susana Martinez signed S.B. 98, which amends sections of the New Mexico Emergency Medical Services Act to provide for criminal history background checks for individuals applying for licensure to provide medical services. The bill also states that an applicant or licensee whose license is denied, suspended or revoked, or who is otherwise disciplined based on information obtained in a criminal history background check, shall be entitled to review the information and to appeal the decision.