Recruitment, how automated should you get? Part 3

Legal risk

In our blog series so far, we’ve looked at basic know how around automated decision making in recruitment and vendor risk management. In this last blog of the series, we’ll cover some of the more finite data protection provisions that organisations will need to consider when onboarding automation into a recruitment process.
 
In our first blog, we mentioned that even without any automation, the UK GDPR and the Data Protection Act 2018 provisions would come into scope for a recruitment process. This extends to all six data protection principles and the lesser-known seventh principle towards accountability and record keeping. Remaining in a position to achieve and demonstrate application of the principles will at times be intertwined with the vendor relationship. The recruitment process often involves processing information about protected characteristics, special category, and criminal offence data- requiring heightened risk awareness and management. Further, relying on the lawful basis of consent can be tricky in a recruitment/employment context. It’s important to seek advice internally and/or externally. The data protection legislation also imposes a series of legal obligations upon data controllers (and, to a lesser extent, data processors).
 
Our top ten legal risk management tips include:

1. Apply due diligence in vendor selection.
2. Carry out a data protection impact assessment (including AI risk assessments).
3. Apply a “privacy by design and default” approach to the process and the technology.
4. Ensure compulsory data processing contracts are in place.
5. Consider data sharing agreements for systematic arrangements.
6. Allow adequate resources towards security, data breach avoidance and response management.
7. Train staff, evaluate and improve processes towards recognising data subjects’ rights requests, and the response requirements.
8. Carry out transfer impact assessments when necessary.
9. Update your organisation’s record of processing activities.
10. Keep documented evidence of compliance.  

Automated decision making and profiling in connection with recruitment fold in additional provisions, information requirements, exceptions and prohibitions which will inform the design of an organisation’s recruitment process so that it is feasible and within risk appetite. Mills and Reeve offer experienced teams in data protection (and other laws that come into scope) across the public and private sector and can assist with legal advice, data breach response, subject access requests, DPIA reviews, process design and training. 
 
If you would like to know more, please contact the author or your usual Mills and Reeve contact.