GDPR Settings - What are they?
The GDPR, or General Data Protection Regulations, is part of the core Data Protection legislation utilised across all member nations of the EU.
After leaving the EU, the UK GDPR, which is a slightly amended version of the EU GDPR, applies to the UK and sits alongside the Data Protection Act 2018.
The EU made an "adequacy" decision on the UK, which means the UK and EU continue to process data across borders.
The UK GDPR remains the single most important piece of legislation which governs how data is used.
Within Eploy we have a suite of tools which you can use to ensure that your system is fully GDPR compliant - we call this suite the Consent Module.
The consent module provides you with the tools to:
- Let your Candidates and Contacts know how their data will be processed (i.e. your Privacy Statement)
- Track whether they have given consent to processing their data (if using consent), or,
- Track whether they have read your privacy statement (if using legitimate interest),
- Set a limit on the amount of time Personal Data will be kept within the system
- Set an auto-reject period, during which the Candidate/Contact can be sent a series of emails to let them know their data will be removed soon, unless they tell you otherwise
- Dictate what will happen when the auto-reject period expires - auto-delete/anonymise the record or flag it for manual anonymisation/deletion
- Configure exclusions - a series of conditions which when met exclude the Candidate/Contact from being able to withdraw their data and which stops the system from either issuing auto-rejection related emails or stops the system from auto-anonymising/deleting the record
You can also use the Contact Preferences tool within the Consent Module to give your Candidates and Contacts the opportunity to opt in or out of periodic email communication.
Within Eploy there are two sets of Consent settings: one for your Candidates and another for Contacts.
If you are an in-house recruitment team, you'll likely only need to provide the consent settings for your Candidates.
The Contact Consent Settings allow you to put different settings in to the system for your external contacts - typically these settings are used by Recruitment Agencies and Universities who recruit on behalf of external organisations and where a decent percentage of the contacts found in the system belong to these client organisations.
What do I need to think about when planning?
Although it sounds like a lot to think about, this one is quite simple.
Firstly, even though the suite of tools is collectively called the Consent Module, please don't get too hung-up on the word Consent. Within the tool you can capture consent, if that's how you want to work, but you can also use the tool if you're going down the path of Legitimate Interest.
Second, we'd recommend that you delegate this task to your Data Protection Officer (DPO), or at the very least, involve them at every step of the way.
You'll need to gather the following pieces of information, or make an appropriate decision:
- Your data privacy statement - this is usually a shortened version of the full statement, which just provides the highlights. Your full statement will be available on your main website and you can include a link to the full statement from within this shortened statement. Or alternatively you may have a specific privacy statement just for recruitment, in which case it could either be hosted as part of your Candidate Portal or on your main website.
- The content of a confirmation message to be displayed when a candidate requests the removal of their data from within the Candidate Portal
- The content of a message displayed to a candidate when they want to request the removal of their data from within the Candidate Portal, but where they fall in to an excluded category
- The number of months you'll want to hold on to Candidate and Contact data for
- The number of days before the end of the data retention period where you want to start sending emails to the Candidate or Contact inviting them to renew their consent for you to process their data
- The content of the email to be sent at the beginning of the auto-reject period
- The content and frequency of any reminder emails to be issued
- Which day of the month Eploy will either flag a Candidate/Contact for Anonymisation or Deletion, or automatically anonymise/delete the record
- The details for any exclusions which would stop a Candidate/Contact record from automatically being flagged, anonymised or deleted
- The details of any periodic email/sms communication preferences you'd like to include
Once you have all this information to hand it's a relatively simple process to add it in to your system, which you'll be able to do once you've moved in to Phase 3 of your Implementation.
I'm still not sure what I need to do - are there any examples I can see?
Yes, but no.
The Consent Module within your demo system is fully configured, and you're more than welcome to see how all the information is added to the module, but I have to stress that this is for illustrative purposes only.
As Data Protection is a legal consideration, it needs to be specific and unique to your own organisation - so please don't be tempted to copy and paste the information from the demo system in to your live system.
Remember, when it comes to GDPR settings it's really important to get your DPO involved as early as possible to ensure you're inputting the right information in to the system. If you need additional help, you'll be able to find plenty of information on the ICO website. Also, if your DPO would like additional information around how the Consent Module works and how to input the data, our own DPO would be happy to have a call with them.
To access the consent module log in to your demo Core system and navigate to Admin > Consents > Candidate.
This will show you how the consent module for Candidates has been configured in your demo system.
Contact Consent is not usually configured in Demo systems, but it behaves and is configured in the same way as for Candidates.
Tip the topic of GDPR is covered in the first of our two Customer Configuration webinars.