GDPR Compliant Applicant Tracking System

Getting the explicit, affirmative consent of your candidates, either active or passive, is essential to demonstrate your commitment to GDPR compliance. Some of the characteristics of a compliant consent management system include that it is:

• Freely given
• Specific
• Informed & granular
• Verifiable
• Easy to withdraw
• Time limited

Eploy’s new Consent Manager enables you to:

• Introduce a Data Consent policy
• Add additional specific consents for each use-case
• Choose which checks on consent you want Eploy to enforce

Typically, you will use the Data Consent Policy to define the consent that candidates give you to store and process their personal data to secure them a job. Your policy is completely customisable; you can define its’:

• Name
• Description
• Duration (retention period)

Also, you can define how to handle candidates whose consent is approaching the end of its validity period – enabling you to send automatic reminders that encourage candidates to re-consent.

You can set reminders to start sending (x) days before the consent expiry and send further reminders every (y) days after that.  If the candidate still fails to respond, you can automatically send a final email confirming that their consent has expired and what will happen next with their data.

Eploy’s Consent Manager lets you create any number of specific consent preferences – enabling you to offer candidates the ability to ‘opt-in’ for  granular usage of their personal data for specific purposes only.

For example, you could create separate consents for:

• Receiving email newsletters
• Joining a talent pool
• Contacting by specific means – such as SMS

(Note: the above are just examples, you can create preference consents for whatever use-cases your business may require)

As with your core Data Consent policy, Preference consents each have a Name, Description & Help Text. Each of these preferences are set to expire at the same point as your core Data Consent policy – this prevents multiple consents expiring at different times – which could have a negative effect on your candidate experience – since candidates could end up receiving multiple reminder notifications.

Based on these preferential consents you can then control that communications, such as emails, are only sent to those candidates who have specifically opted-in to receive them. Meaning you can run multiple email newsletter lists – which is great for sending targeted, segmented emails to the right people. You can also set the valid consents within Email templates – this means that any emails created using the template will only be sent to those people who have explicitly opted-in to receive them.
 

You can also create exclusions for your Data Consent policy. An Exclusion is a filter that defines the criteria of the candidates that can be excluded – for example; you may want to create a filter that finds Non-EU candidates within your Eploy database and exclude them from your Data Consent policy or where you can show that you have a legitimate interest for processing candidate personal data.

You can use exclusions where you may have a different legal basis for storing and processing personal information – for example; retaining new hire information for a period or retaining applications can constitute valid legal basis under the GDPR. We advise that you talk to your Data Protection Officer (DPO) to understand the different legal basis you may have for storing and processing different categories of candidates and then create exclusions within Eploy’s Consent Manager.

As the GDPR requires that consent is time-limited, within your Data Consent Policy, you can define what should happen, automatically, when a candidate’s consent expires. Your choices here are:

• Change the candidate’s Employment Status to “Consent Expired”
• Anonymise the candidates personal data

or

• Delete the candidate

• Change the Candidate Status

  This option will give candidates whose consent has expired a specific Employment Status (“Consent Expired”) this ensures that such candidates are restricted from future searches and queries. This is a good choice where you want to review all candidates before deciding what to do next manually, but in the interim restrict them from further processing.

There are good reasons why you might not want to completely delete all information stored about a specific candidate from your database. A good example of this is your metrics and analytics – consider, for example Candidate Source (where did they hear about the role?; which job board etc) – if you delete the candidate record you are likely to lose this important information – meaning your stats are less accurate. 

Rather than lose this ‘non-personal’ data – you can set expired candidates to be anonymised, automatically, within your Eploy database. With anonymisation, all personal data fields, notes and comments are anonymised, all CVs and other files associated with the candidate are deleted, leaving only pertinent, non-personally identifiable data. This will maintain the integrity of your stats, metrics and KPIs that do not rely on personally identifiable information

Anonymisation is set to take place on your preferred day of the month.  In addition, the candidate’s Employment Status will be set to ‘Sent for Anonymisation’. Please note, that once anonymised it will be irreversible.

By selecting the ‘Delete Candidate’ option, your candidates will go into a holding pen that is then deleted from your Eploy database on your preferred day each month. This tool helps you manage the right to be forgotten - where the candidate requests deletion from your system, for example.

By putting them into a holding pen, you can give yourselves time to manually check and verify that you do not have another legal basis for retaining the candidate data. To assist with this, Eploy will automatically set the candidate’s Employment Status to ‘Sent for Deletion’ and optionally you can choose to notify specific individuals in your organisation before deletion so that they can review them if required.

Eploy’s Consent Manager enables you to configure which specific checks you want your system to perform when contacting candidates in your database:

Checks can be created for:

• Emailing the candidate
• Sending SMS messages to the candidate

• We’ve added consent tools that help you when working directly with Candidate data within the Eploy System.

  Within the Candidate Summary page we’ve added a new pop-over for consents – this will show which preferences each candidate has specifically opted in for.

• However, as a fail-safe, Eploy also stores a history of all consent changes, so if a candidate challenges the validity of a consent you will be able to refer back to the history to identify who edited it and when.

Your Data Consent policy and specific preference consents can each be presented to candidates through your careers site and (if you have one) your Eploy Candidate Portal.

Gaining consent at the point of registration

It’s important that, as a minimum you capture a candidates consent to store and process their personal information at the point of registration on your careers site.

Eploy’s Consent Manager also let’s you choose which preference consents should also be presented – enabling you to have specific consents to join your talent pools and be contacted about other roles, for example.

Candidate Self-service for data consent

When a candidate logs in to your Candidate portal they can also be presented with your data consent policy and manage their opt-in preferences.

For more information please also see this GDPR blog post and our general GDPR statement