Recruitment, how automated should you get? Part 2

Vendor risk

In part one of our blog series on automated decision making in recruitment, we highlighted the headline legal provisions, and the balance needed between tech and human input. Here in part two, we’ll look at vendor input. Unless an organisation wanting to automate its recruitment process can develop its own software, it will be sourcing the tools from a vendor. 
 
In the data protection world, vendors will be data processors, data controllers, or joint controllers. Sometimes it is a bit of a mixed bag depending on how they operate and how customers and vendors interact with their platform and the personal data. Each data protection status carries its own liability profile so to speak, and so taking an interest in the risk profile of a vendor early in the procurement process will be the first step towards managing risk and legal liability should things go wrong.

Our top 10 vendor risk management tips:

• Get to know your organisation’s procurement and due diligence process. Engage legal and/or privacy teams early and consult the Data Protection Officer if one is appointed to the organisation. Don’t get sucked into a narrow bottom dollar negotiation approach; good groundwork done here will impact (and potentially avoid) liability exposure should things go wrong.
• Be wary of vendor golden promises and look under the hood. Software involving AI capability will require awareness of the demographic groups a model was trained on, the detection of underlying bias, and whether and how algorithmic fairness testing is conducted. This will require periodic input and checking throughout the deployment of the tool.
• Test and audit the tool before purchase, before deployment, and during use.
• Get acquainted with configurable controls, remove unnecessary high-risk automation, and select the least privacy intrusive alternatives where possible. Ensure privacy-relevant updates are not applied on autopilot.
• Ensure individuals are provided with the right information at the right time and understand whether and how individuals can exercise their data protection rights. 
• Try to avoid over reliance on one provider and build in agility planning to minimise risk and business disruption if something starts to look "iffy". Part one of this blog series introduced the potential cost of something going wrong. 
• Think about ethical, reputation and PR aspects. Auto-releasing unsuccessful candidates from the process may be efficient but think about how this aligns with corporate imaging or social impact goals of the organisation. 
• Ensure contracts are in order. While contracts make good business and financial sense, they are also a legal requirement in some data protection situations. Don’t miss the memo on this one!
• Carry out a ‘data protection impact assessment’ meeting UK GDPR requirements. Relying entirely on a vendor’s risk assessment is unlikely to be appropriate although vendors can and should assist with the DPIA.
• Be clear about what the vendor does with personal data and with whom it is shared.

Next up in part three, tune into the important legal obligations - Mills & Reeve have got this covered!