Talent acquisition and workforce management leaders handle a variety of sensitive compliance matters. This section dives into how offshore delivery models can strengthen compliance and policy adherence, examines the newly-implemented GDPR and how it may affect your business and provides information about email marketing laws in the U.S., Canada and Australia to ensure your recruitment email marketing programs are compliant.


Leveraging Offshore Delivery Centers to Drive Improved Compliance and Recruitment Results


Offshore delivery centers are a growing strategy in talent acquisition. Historically, these centers have been leveraged for cost efficiencies. More recently, global delivery centers are being used to strengthen compliance, drive broader operational efficiencies and improve recruitment performance.

The change is driven by an increasingly globalized workforce, a competitive recruiting landscape and increased risk due to a complicated patchwork of compliance regulations. Strategically located offshore delivery centers provide lower cost, high-quality workforces and are effective because, combined with an innovate technology platform, they can drive efficiencies and ensure compliance through strict adherence to workflows and audit operations.

Supporting Policy and Regulatory Compliance

As many organizations turn to a global sourcing and recruitment model, an offshore delivery center can be used to quickly and cost-effectively ensure policy and regulatory compliance in a fast-evolving compliance landscape. By leveraging offshore resources, dedicated teams can be assembled to set up and administer standard operating procedures to drive adherence with regulations in each country in which an organization recruits. These dedicated teams can also quickly respond to changes or ramp-up to support new geographies.

Compliant job postings:

An offshore delivery center can be used to ensure that every job requisition is complete and compliant. Hiring manager or recruiter errors frequently undermine the effectiveness, policy adherence and regulatory compliance of job descriptions. A common solution to this issue has been to require that only static, unchangeable, pre-approved job descriptions are posted. Times have changed, and it is more important than ever to allow hiring managers to highlight differentiators and add information that will attract the best talent from a very limited candidate pool. A compliance review prior to posting or distributing a job description is an essential step in ensuring compliance with OFCCP and other regulatory criteria fixed elements like accurate compensation ranges and ensuring a minimum acceptable quality level.

Background screening and drug testing:

Standardized corporate policies requiring background investigations and drug tests have been the norm across large employers in the U.S. However, the proliferation of different state and local laws regarding the use of criminal background investigations in the hiring process and the variations in the legal treatment of the use of marijuana in different jurisdictions have injected significant complexity into hiring practices. Employers faced with the need for different drug testing criteria and background investigation procedures can encode and apply variegated workflows for different jurisdictions, without a significant increase in compliance cost or risk, when these are initiated, executed and audited at an offshore delivery center.

Complementing AI and automation:

Offshore delivery centers can also take on compliance-related tasks when AI and automation aren’t able to. For instance, when a new law goes into effect that impacts the recruiting process in a certain region, a new standard operating procedure can be established and deployed in an offshore delivery center within hours while technology updates are made, tested and ultimately deployed.

Supporting Improved Recruitment Results

In addition to helping to create a compliant recruitment program, offshore delivery centers can also improve recruitment results and candidate experience.

Posting to community and specialty job boards:

Most well-known job boards take XML feeds, which allows distribution to be automated. However, some job boards still require someone to reach out personally. When an employer has a large volume of open positions, posting to these types of boards can take a lot of a recruiter’s time and the process becomes prohibitively expensive. When an offshore delivery center handles these types of postings, organizations don’t leave candidates on the table. Additionally, these job boards are also often a source of diverse candidates, which improves diversity hiring.


To keep up with candidate expectations, employers need an efficient recruitment process. An offshore delivery center can speed up the process of candidate engagement through procedures designed to accelerate the strongest candidates through to interviews and offers.

For one client that takes advantage of PeopleScout’s global delivery center in Gurgaon, India, PeopleScout has met 100% of all timeliness metrics for the past three years for tens of thousands of annual hires by engaging with candidates 24 hours a day.


Key Takeaways

  • Offshore delivery centers reduce compliance errors with multiple teams focused on specific sets of regulations.

  • Offshore delivery centers can increase the agility and responsiveness of your recruitment program.

  • Offshore delivery centers can improve recruiting speed by deploying resources 24 hours a day across the globe.


GDPR: What Does it Mean for Compliance?


As more employers engage with candidates online and through email, being compliant with data privacy laws is more important than ever. If your company sources candidates living or working in the EU, GDPR applies to you. The EU General Data Protection Regulation, or GDPR, requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.

The GDPR applies to all organizations that collect the data of people who live in the EU, regardless of the organization’s physical location. That means the GDPR impacts organizations across the globe, and the penalties can reach up to 4% of the global revenue of the parent company or 20 million euros, whichever is higher. Enforcement began on May 25, 2018.

The regulation requires privacy by design, which means that a data system needs to include data protection from the start, rather than as an addition. Organizations must only hold and process the data that is absolutely necessary, and limit access to that data to those who need to process it.

The GDPR also requires consent and provides the people whose data is collected with the right to confirmation as to whether or not their personal information is being processed, where it is being processed and for what purpose. If the person requests, the organization also needs to provide a copy of the personal data, free of charge, in an electronic format. The person has the right to give that data to another organization.

Additionally, the GDPR includes the right to be forgotten, also known as data erasure, which entitles the person whose data was collected to have the organization erase the data, cease any dissemination of the data and potentially halt a third party’s processing of that data.

The regulation requires organizations to notify the people whose data they collect within 72 hours of first becoming aware of a data break that is likely to “result in a risk for the rights and freedoms of individuals.”

In the past, organizations that collected data had to notify local data protection advisors about their data processing activities. Under the GDPR, data collecting organizations will not be required to submit those notifications or registrations, but they will need to meet internal recordkeeping requirements, and some organizations will need to appoint data protection officers.


Key Takeaways

  • GDPR applies to any collection of data for those living or working in the EU, regardless of the location of the organization accessing this data.

  • The new rules include notification requirements, up-front security measures and other privacy safeguards.




Laws around the world regulate how businesses and employers can interact with individuals through emails. While many marketing teams deal with these regulations every day, they also apply to talent acquisition teams and others that engage with candidates through email. Different countries have different laws; this article will cover the laws of the United States, Canada and Australia.

United States: CAN-SPAM

CAN-SPAM, Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, regulates commercial messages in the United States. Commercial messages promote a product or a service—including one-off and mass email sends. It does not apply to transactional or relationship content, which are emails about an already agreed upon transaction. Here’s what it requires:

  • You cannot use false or misleading header information, including “From,” “To,” “Reply-To” and routing information must be accurate and identify the person or business who initiated the message.
  • You cannot use deceptive subject lines.
  • The message must include your valid postal address.
  • You must include an option to opt-out of future emails and you must honor those opt-out requests within 10 days.
  • For every email you send in violation of CAN-SPAM, you can be fined up to $41,484.

Canada: CASL

CASL, The Canadian Anti-Spam Legislation, applies to commercial electronic messages in Canada. Commercial electronic messages are emails that encourage participation in a commercial activity. Here’s how it works:

  • Commercial electronic mail to Canadian individuals is covered by CASL.
  • The recipient of the email must give express consent, or implied consent to receive the commercial electronic message.
  • Express consent means the person has agreed to receive the message either in writing or orally. An opt-in option, like a website sign up, is considered express consent. An email requesting consent does not create express written consent.
  • Implied consent can be obtained when the person conspicuously publishes their email. That publication cannot be accompanied by a statement that the person doesn’t want to receive the unsolicited commercial electronic messages and the message must be relevant to the person’s business, role, functions or duties in a business or official capacity.
  • An existing business relationship is an exception, which can arise from a purchase or acceptance of a business, investment or gaming opportunity within the past two years.

Organizations that don’t comply risk serious penalties, including criminal charges, civil charges, personal liability for company officers and directors, and penalties up to $10 million.

Australia: SPAM Act

The SPAM Act of 2003 prohibits the sending of unsolicited commercial electronic messages with an Australian link. Commercial electronic messages offer, advertise or promote the supply of goods, services, land, business or investment opportunities. A message has an Australian link if it originates or was commissioned in Australia or was sent to an address accessed in Australia.

  • The recipient of the message must provide express or inferred consent.
  • Examples of express consent include an opt-in box on a form or website, verbal confirmation over the phone or face-to-face or by swapping business cards. An electronic message requesting consent does not qualify.
  • Inferred consent can occur in an existing business or other relationship. It can also occur when a person publicly publishes their work-related email address and does not state that they do not want to receive commercial messages. When you have inferred consent, the subject of the message being sent must be directly related to the role or function of the recipient.
  • Every email must contain an unsubscribe option that must be honored within five working days.
  • The email must correctly identify the sender or the individual or organization that authorized the email send and it must include information about how the recipient can contact you.
  • Violations of the Spam Act have a maximum penalty of $2.1 million.

To learn more about compliance, download our ebook.

HR Compliance Trends in 2018