In my last article I explored the role of a recruitment sourcer. It’s an innovative and constantly evolving part of talent acquisition and is positioned at a critical moment in the recruitment process where a candidate's personal information is processed for the first time.

sourcers are often the first point of ‘processing’ involving the potential candidates information, they are also an important part of getting compliant data processing right, from the start.

Recruitment is often talked about as a whole, but an essential part of the process is in discovering that a potential candidate exists in the first place and that often comes down to the role of a sourcer. Because sourcers are often the first point of ‘processing’ involving the potential candidates information, they are also an important part of getting compliant data processing right, from the start.

Over the last year I’ve been involved in helping some in recruitment prepare for the General Data Protection Regulation and adapt how they do business to cater to the new realities that it brings. What I’ve found is that there is a strong desire to do the right thing with personal data and that overall, recruiters are embracing the introduction of GDPR as an opportunity to formalise best-practice within their businesses, make changes where needed and get on with the task of finding people their next great job. And that's exactly as it should be!

The Data Protection Prime Directive

So what changes for sourcers under the GDPR? With sourcers often being the first contact that a business has with a prospective candidate, it’s important that they get data protection compliance off on the right foot. In Star Trek lore 🖖, there is the Prime Directive – the guiding principle that should be followed when encountering new civilisations. With the GDPR, there are the Data Protection Principles – prime among them being Lawfulness, Fairness and Transparency; and it’s here that sourcers play a key role.


Data Protection Principles
“…it’s not a band-aid or get-out-of-jail card. Legitimate interest processing comes with its own obligations”

To process and ‘use’ an individual’s personal data there needs to be a lawful basis. Often, when it comes to the first contact of an individual with the sourcer, where the person has not given their information directly to that sourcer, that basis will be legitimate interest. None of the others will cover it – not Consent, Contract, Vital Interest, Public Interest or Legal Obligation – legitimate interest is the only one with legs. But it’s not a band-aid or get-out-of-jail card. Legitimate interest processing comes with its own obligations.

GDPR Lawful Bases for Processing Personal Data

Recruiters will often be processing under varying lawful bases ranging from Contract to Legitimate Interest or Consent depending on the purpose of processing.

It’s not as simple as saying that it’s in the “legitimate business interest of the recruiter or sourcer” to process this personal information and away you go. The interest of both parties including the individual concerned needs to be considered and context is key.

A component of a legitimate interest assessment

A component of a legitimate interest assessment

What is the context in which you are collecting the personal data? – is it from LinkedIn, a personal blog with content that the prospective candidate posted that is related to the job you are hiring for?, or did you come across this persons Instagram account and want to reach out and see if they might, on a long-shot, be interested or have any of the skills required for a job you are sourcing for? You can see where one context may make more sense over another.

Use it or lose it – the clock is ticking from when you first process the personal data

The business should perform a Legitimate Interest Assessment for the various categories of contexts that it sources from. This helps to be accountable under GDPR (one of the Data Protection Principles), by documenting the decision-making rationale should it ever come to an audit. The fact that you are processing in this way should be made available to the candidate at the earliest opportunity, and not later than one month from the first processing of personal information that you didn’t directly collect from the candidate. This is covered by Article 14 of the GDPR. Sourcer’s should have workflows in place to support this notification obligation.

Use it or lose it – the clock is ticking from when you first process the personal data. Reach out, say hello, inform them why and how you are using their data and give them the opportunity to object. Don’t leave their personal data gathering dust. If they do object to you processing, facilitate that objection, make sure you can respect it, remove their data and move on.

Another consideration that a sourcer may have relates to their company’s function in providing this element of the recruitment process. Examples of the types of sourcers may be:

  • In-house sourcers – working within the hiring company and sourcing directly for that company;
  • Agency sourcers – working within a recruitment agency, fulfilling jobs for external Hiring Managers while also building a talent pool for the agency;
  • Agency sub-contracted sourcers – contracted to source candidates either directly by a hiring company or by another agency.

Depending what sourcing bucket you fit into, you can either be considered a data controller, a data processor or a sub processor. This is important because if you are performing processing for the purposes of, and on the instructions of someone else (i.e. the data controller), it is they who have the notification obligation to inform the candidate and you who may be facilitating it.

While you may initially be processing based on Legitimate Interest, I wouldn’t recommend continuing to process on that basis. Once a candidate is notified of the initial processing, a more appropriate basis of processing should be gained. Often in recruitment, the most appropriate is consent or contract, depending on the purpose (e.g. to add to a talent pool and be considered for future roles – consent, or to apply for a specific role that you have in mind - contract). This stage often goes beyond where the sourcer may be dealing with a candidate and so may be left to a recruitment consultant to fulfil if that’s the nature of how the business works.

Review your toolkit

As a sourcer you naturally use many tools to gather and process personal data. One of the key parts of any compliance program is reviewing the suppliers and third parties that the business uses to process personal data. With the introduction of GDPR, we have seen some services and providers limit their operations, shut their doors to EU individuals or completely shut down in response to GDPR (goodbye Klout, hello Skorr). Processing personal data in compliance with the regulation extends to ensuring that the third-parties you use to facilitate your service have given assurances (review privacy statements, terms of service agreements, data processing agreements) that they process the personal data you share with them in a compliant manner.

Key to facilitating compliance at scale is using systems that support you realising individuals’ rights. If you use an ATS/CRM to keep track of and manage the individuals that you source, review the application for any GDPR compliance features that the vendor has added. For example, I mentioned that often initial processing may take place under legitimate interest – vendors should support alerting you within one month if you have not notified the candidate or gained permission (i.e. a further lawful basis) to process their information for the purposes that you want to. Some vendors are assuming legitimate interest for all processing and I think this is the wrong way to go. They should be enabling you to capture and work with the model that you determine is suitable for your business. In many cases, this will involve recording differing lawful bases at the different stages of the recruitment process. If you don’t see any GDPR features in your ATS it may be that they need to be switched on for you to use. Look at the documentation or ask your vendor. Sometimes they are turned off by default because they may be a US vendor supplying to a primarily US audience. Still no GDPR features? – it’s time to move!

The sourcer is there at a critical step in the recruitment process both for the candidate and as an ambassador for delivering on the spirit and letter of the law of data protection. They are on the front line of data protection for recruitment.

These are just a few of the considerations that sourcers, and by extension – their business, have when complying with the GDPR. It needs to form part of a wider compliance program within the business. The sourcers’ role is an important one – they are skilled head-hunters, there at a critical step in the recruitment process both for the candidate and as an ambassador for delivering both the spirit and letter of the law of data protection regulation. With the right support from the business, sourcers can continue to work their magic.

Hello Recruiters and Sourcers!

I work with recruitment agencies and HR professionals to design a compliance programme to meet data protection regulation requirements. We begin by identifying current gaps and work with you to adapt business processes and procedures to enable compliant data processing.

I also work with recruitment software vendors, to develop a Data Protection by Design approach to product development that enables cost-saving decisions to be taken early in product planning. I can help put the processes in place that support the evolution of your product at critical stages when risk assessment should be performed.

topics mentioned in this article


Alan Mac Kenna

Alan Mac Kenna

Web Development & Data Protection Specialist

More Info

About Alan Mac Kenna

I write about various topics including Content Management Systems, Data Protection, Software Development and Recruitment & HR Tech.


Latest Posts