Digitalisation is affecting companies that provide workforce solutions, including recruitment services, more than ever before. Shareholder value and business survival will increasingly be affected by the actions businesses take in this area.
Osborne Clarke’s Workforce Solutions and Recruitment sector teams have long been at the forefront of digital transformation and we know that many of our clients are already embracing the increasing automation of the recruitment process.
This new briefings series looks at the digital opportunities and challenges companies in those sectors. Reflecting what clients have been telling us, our briefings series will focus on the following topics, which we believe are most relevant to businesses in these sectors:
- Automation of business processes such as matching, selection, contract formation and payment – which is the focus of this briefing;
- M&A activity and the shift towards acquiring technology assets; what are the different issues you face when buying technology assets rather than people based businesses;
- The arguably inevitable adoption of blockchain in relation to checking suitability of candidates, checking supply chain compliance, and ownership of work done ; and
- The vulnerability of business to cybercrime, disputes with technology suppliers and data breaches
In this first edition, we will be concentrating on automation, the effect of GDPR and compliance considerations in relation to data breaches. Please let us know if you have any suggestions for topics that you would like us to cover in future updates.
Automation of processes and the effect of GDPR
Clearly, Recruitment and Workforce Solutions businesses process a great deal of sensitive personal data. That is their key business activity.
This summer, there have been developments in relation to GDPR and data protection which will have a material impact on the automation of processes in the Recruitment and the Workforce Solutions sectors. Unless businesses get this right they will face the risk of huge fines. Even if you don’t get caught out, failing to design your processes to prevent problems in this area will materially detract from the corporate value of businesses. Osborne Clarke has published a number of briefings (see below) covering these.
In July, news of the ICO’s notices of intention to fine both British Airways and Marriott Hotels significant sums under GDPR gained significant publicity. There are some interesting aspects around the facts that:
- both entities involved have felt the need to make a market disclosure at this stage (which has triggered the ICO’s public statements much earlier in the process than usual); and
- one of the fines originates in a pre-GDPR corporate acquisition which illustrates the importance of data protection due diligence in M&A activity (especially where the target combines traditional recruitment services with a more technological offering).
The key point is that once upon a time un-provided-for tax liabilities or the sudden departure of a team of star billers was the main threat facing companies in these sectors. But now you really need to be on top of your GDPR risks as well:
Compliance systems and processes
The Recruitment and Workforce Solutions sectors have always needed to be alert to security and cyber security issues due to the sheer amount of data that they holds but the move towards automation and technology solutions means that this is becoming even more important.
Aside from the reputational, contractual and business continuity risks associated with cyber breaches, the GDPR imposes a regulatory obligation to take “appropriate technical and organisational measures” to guard against inappropriate data use. Taking account of learnings from the BA and Marriot Hotels fines, this briefing explains what the GDPR standard of appropriate technical and organisational measures actually means – this was relatively unclear when businesses were getting GDPR ready last year.
The briefing also suggests the measures that you might want to consider taking now that things have become a little clearer.:
One of the more challenging issues under GDPR is determining whether the sharing and use of data by two parties gives rise to a joint controller situation. This has led to all sorts of confusion in terms and conditions issued to Recruitment and Workforce Solutions companies by their clients. The European courts gave their latest decision on this in the Fashion ID case in July. We have set out our thoughts on the case any what it means in this briefing.
This is important as data sharing underpins many business models in the sector and this judgment could lead to you being held liable for a third party’s use of your data (for example, where you share candidate data or a client or contractor data with a and RPO company or managed service provider or financial services provider).