How Your Employee Referral Process Could Lead to Legal Liability

In today's digital age, data privacy is paramount. With stringent regulations like GDPR and CCPA in place, every aspect of business operations, including the employee referral process, must adhere to data protection laws. Surprisingly, many companies overlook the potential non-compliance of their referral systems, inadvertently putting themselves at risk of legal repercussions.

Today, most companies have a manual form or a referral capturing system that allows their employees to submit a candidate’s information to refer them for a job, which then triggers an email or text message to that candidate. However, this process could be in non-compliance territory for several reasons.

1. Lack of Candidate Consent

One of the fundamental principles of data privacy laws is obtaining consent from individuals before collecting their personal information. In the case of employee referrals, the traditional method of a manual form or a system where candidates' information is submitted without their explicit consent raises concerns as the candidate may not have authorized the storage or processing of their data, potentially violating data privacy regulations.

2. Unauthorized Communication

Moreover, if the referral process triggers an automated email or a text message to the referred candidate, it could further exacerbate the compliance issue. Sending unsolicited communications without prior consent not only violates data privacy laws but also undermines the trust between the candidate and the company. 

Furthermore, in the context of text messages, the use of this communication channel without explicit permission may also violate telecommunications regulations, compounding the compliance risk. Similarly, if the recruiting team contacts the candidate via phone without prior consent, it constitutes unsolicited communication and poses a risk of non-compliance.

3. Ignoring Do Not Contact Requests

A critical but often overlooked aspect of data privacy compliance is respecting candidates' preferences regarding communication channels and opt-out requests. In some cases, talent acquisition teams may not be aware of a candidate's inclusion in other departments' "do not contact" lists. This lack of awareness can inadvertently lead to contacting candidates who have explicitly requested not to be contacted, resulting in breaches of data privacy regulations and potential legal liabilities.

Finding a Solution

To address these compliance challenges comprehensively, companies need to revamp their employee referral process with data privacy in mind. One effective solution is deploying a referral platform that enables employees to share unique referral links directly with candidates, rather than submitting the candidate information directly. This approach ensures that the referral originates from the employee themselves, not the platform, thus mitigating privacy concerns. It is then the candidate themselves who fill in their information along with accepting your privacy policy.

Employee referral solutions such as Eqo exemplify this approach, empowering employees to refer candidates securely and compliantly.

‍

‍

What about “How Did you Hear About Us?” on the Application

Yes, this might solve the compliance and legal issue but will lead to another issue of only capturing referrals who apply, having you miss out on thousands of referral leads. We dive deeper into this topic in this Article here. 

‍

PS: This article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only.