General Data Protection Regulation (GDPR) is a regulation from the EU that went into effect the 25th of May 2018. The GDPR applies to every company that handles any personal data within the EU and don't you worry, we make being GDPR compliant easy.
Start off by setting up the GDPR features for your account. Read more about the GDPR Setup guide here!
In this article, you can read more about the GDPR workflow and how to automate your compliance.
First thing first: candidates permission
Let's take it from the beginning! You have two different types of candidates, stated in the list below. Initially, these candidates will be handled a bit differently and it all comes down to their permission for you to store their personal data.
- the candidate that applies/connects with your company: gives you permission as they submit their application or chooses to connect with you.
- the candidate you add on your own (source): might not be aware that you've started storing their personal data, so you must first ask for their OK.
Following, you will see how you collect and manage these candidate's permissions.
Default expiry date
After this time has passed, the candidate will be marked with Expired tag and you might want to extend that permission. You can make sure the system automatically asks the candidate for permission. For this, you have to options: Opt-out, or Opt-in.
1. Ask your candidates to Opt-out
Once the candidate's permission has expired, ask him/her to opt-out from your candidate bank. This means the candidate is asked to let you know if they no longer want to be a part of your bank. If a request to be removed isn't done, the candidates permission will automatically be extended. In short, this means you inform the candidates that their personal information will be retained unless they actively opt out.
You're account comes pre-stocked with an email template for the opt-out email. Make sure to take a look at it, to make sure it's aligned with your company. Click Edit Email template to review this email.
The opt-out email looks a lot like this. You see the Remove my data section at the bottom of the email 👇
2. Ask your candidates to Opt-in
After the candidate's permission has expired, you can inform the candidates that they have to actively extend their permission for you to retain their personal info. This means the candidate has to give an OK for you to keep storing their data. If the permission isn't extended, the candidate will remain marked with Permission expired until the candidate gives permission, requests to be removed, or you delete them from your system.
How does the expiry date Opt-in work?
Say you've agreed to store your candidate's data for 12 months. 1 week before the 12 months has passed, the system will automatically send out an email to the candidate, asking them to give a new permission. After the 12 moths has passed, the candidate will be marked with Permission expired.
Expiry date for sourced and referred candidates
When a candidate is sourced or referred (manually added), you have yet to get their initial permission to store their data. Choose how long you store the sourced/referred candidate's data before the system informs you that you're missing their permission. Once this time has passed, the candidate will be marked with a tag Permission missing and the GDPR manager will receive an email notification. Decide if you want to ask for permission automatically or manually.
Automatically ask your candidates to give permission (Opt-in)
Once the expiry date has passed, and the candidate is marked with Permission missing you can have the system automatically ask the candidate for their permission for you to store their data. This is done with an opt-in email. We automatically give you an email template for this email, but make sure to take a look at it. Click Edit Email template to review the email.
The opt-in email looks like this! Note the Give permission button that's automatically added to the email 👇
Once your candidates click Give permission, you have their initial permission and this is valid for the same period of time as candidates that applied for a job/connected with you. So, they are added to the same GDPR loop as the rest of your candidates and will be handled according to your Expiry date settings.
Your accounts GDPR managers are the people you've listed as responsible for keeping your account GDPR compliant. These people will receive direct notification for all activities regarding candidates' data, for example when a candidate wants their data removed.
Simply click on the users you want to assign this role to. Once the user has been given this role, a new set of notification is visible in his/her setting under Email notification → GDPR manager.