Given the continuing advances in technology, it is not surprising companies are using new ways to target potential employees.
One of these catching our eye these days is “geofencing.” Recruiters are now borrowing this technique, which has been honed by digital marketers and social media platforms to get advertising, marketing and brand messages to hyper-focused audiences.
The idea behind geofencing is simple, even if the technology that powers it is complex. You set up a virtual perimeter around a particular geographic “zone,” whether a specific zip code, neighborhood or business area. Once individuals enter the zone, they receive specific messages or advertisements on their cellphones or tablets.
Increasingly, companies are using geofencing to locate and attract specialized talent. A company might buy a database of potential recruits culled from online profiles or educational records and then set up geographic zones where the coveted recruits work or live. When someone with relevant credentials enters a geofenced zone, an ad inviting the person to apply will appear on his or her mobile phone. Recruiters say this approach provides a more cost-effective and targeted method of recruiting than traditional methods.
But it also raises questions about protecting the privacy of the individuals you are targeting. If your organization collects personally identifiable data in connection with a geofencing campaign, then you should also put mechanisms in place to protect the data from the malicious activities of hackers and from improper use or disclosure by authorized users. As with any individually identifiable data that you collect, you should consider the following questions:
- Whom has access to the information obtained? Whenever you collect individually identifiable information, you want to limit access to just those who absolutely need to use the information. The more people who have access to the data, the greater the opportunity for someone to lose or misuse the information.
- What and how much information is collected? The more sensitive the information, the more protection that it needs. Certain information, like social security numbers, bank account details and medical records typically need the most protection, but even profiles of individuals can be tempting targets for criminals interested in using the information for identity fraud. Companies should always think about the types of information they are collecting. The less information you collect, the less you must protect, which will save you money while also reducing your risk of a potential data breach.
- Over what period has the information been collected? How long will you retain it? The longer you retain information, the more you end up storing and having to protect. Moreover, the information also tends to grow stale over time, meaning that it becomes less reliable. Again, it costs money to protect information. You will reduce risk and expense if you set time limits on your retention of personally identifiable information.
- Where is the information being stored? When using a third-party vendor to collect and/or store information, you are only as secure as your vendor. Do your due diligence before selecting a vendor, then follow it up with a solid contract that spells out expectations. Conduct audits of your vendors to verify compliance. If you do business internationally, be sure to know the laws for data use and storage in each country where you collect and store.
- Is the information adequately protected? Different types of information will be subject to different standards, which may be set by industry, state, federal or even international laws. Increasingly, legal standards require you to actively manage risk to your IT systems to ensure you are doing what is needed to protect sensitive information that you have gathered.
In the event of a security breach, your company could find itself subject to investigation, meaning these questions could become front and center. If you have not addressed these issues adequately, you could face a public backlash.
Norbert F. Kugele and Nathan W. Steed are partners at Warner Norcross & Judd LLP, where they help individuals and companies safeguard their data and protect their privacy. You can reach them at email@example.com or firstname.lastname@example.org or by calling (616) 752-2000