Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at firstname.lastname@example.org.
You will have to forgive us for this post – this is not an easy topic. The topic is quite broad and, as with most elements of the GDPR, takes a little thought and consideration.
Consents need to be considered as a key privacy factor across many elements of procurement business.
There are several ways we can discuss consents – but we thought that to demonstrate the complexity of the legislation – and some of the care that needs to be taken, we would use a fictional human resource or temporary labour company in Europe.
If you have any doubts whatsoever as to the complexity of the legislation for this category of supplier, drop on to the site of one of the larger UK based recruitment company websites and enjoy a leisurely afternoon coming to terms with their Privacy notice. All of them have had to:
- Map out where personal data is held – files, paper, spreadsheets, databases;
- Understand who they share it with;
- Centralise and control their access to personal data;
- Define the who, what, why, when and where of holding candidate data – and make that clear to candidates;
- Ensure candidates are informed of how their data is managed – stored and used;
- Provide consent to send their personal resumes to clients as needed – however, for differing clients, it is likely that individual consents will be required
- If the recruiter provides psychological testing, they will need to be clear how long those results are retained for, their use and how the results are used.
For example, in 2016-17, the New South Wales government allowed psychological testing of candidates for key roles. However, the results of these tests were made available across all government agencies on demand – some 30+ of them. If this was Europe – and a breach occurred – it could be a costly exercise. Is the Government the agency – or each individual state agency or body? The differences in how data is used (and associated consents) varies considerably across the globe. Ironically, the NSW Department of Industry has just issued a warning to candidates that may have applied for roles could have has their personal details exposed in a potential breach – a breach that may have occurred on a much wider basis.
For procurers, if temporary labour agencies are used (and consultants are in the same domain , whether they like it or not)), many will insert contractor or employee names into invoices. As the initial consent to disclose, and offer of work would have been consent based, it does rely on all parts of the consent process working to specification. Perhaps that, as the old saying goes, could be a verloen hoep or “forlorn hope”.
With spend analysis data, recruitment agencies would no doubt use the legitimate processing clause – in combination with contractual processing requirements. No harm there we suspect. The customer would have the data – and for analysis purposes would need to review that data for contractual reasons. All seems sensible enough.
However, if you think about the number of if-then-else processes and sub-processes that need to comply, then statistically it will be hard to ensure that all consents are in place in a fast-moving business. At a later date, if a contractor submits a Data Subject Access Request this could involve recovering information that an agency has supplied to former contractor employers – again it is unclear. It could be made worse if relationships between agency and customer have broken down.
We don’t have the answers, sadly. However, it is, sadly, almost inevitable that someone will fall foul of the legislation in a supply chain as complex and high volume as temporary labour. We shall see.