The General Data Protection Regulation (GDPR) has a simple mandate—to give Europeans more control over how their personal information is used.
Despite its simple mandate, the devil of GDPR is in the detail. And with GDPR there’s a lot of detail to get to grips with.
It’s been a hot topic for a while now. So, by this stage, you’ve probably got a pretty good, general overview of GDPR as it relates to recruiting—what you need to do for candidates, why and when (hint: it’s soon). But with the 25th May deadline and threat of potential financial penalties looming, chances are you’ve moved on to the last big question—‘how?’ How will you find time to meet the detailed GDPR compliance requirements when the day-to-day demands of hiring are all-consuming?
A simple mandate demands a straightforward solution. And the great news is if you’re using Workable the solution is straightforward—we’ve taken care of the details for you. Whatever the size of your hiring team or your data processing operation, we’ve got a range of different integrated options—from existing features to new, GDPR compliance tools. No fuss required. Lots of time saved.
A robust, secure and accredited hiring platform
But first things, first. Before tools comes security. Data protection is the backbone of GDPR. A secure and stable platform from day one, Workable is 100% GDPR-compliant. We’re also ISO 27001-accredited, which means it’s easier for us, and our customers, to comply with the new regulations. And we’ve recently added extra layers of security such as single sign-on to give added confidence to users.
So, if you’re using Workable to manage your hiring data you can be confident it’s in safe and secure hands, and it always has been.
Supporting GDPR-compliance as standard
You can manage GDPR-compliance effectively throughout the hiring process, using any Workable account.
You’ll probably be familiar with most of the features highlighted below, but there’s one big change. We’ve recently added an account-wide right to erasure option. Designed specifically with GDPR in mind, it sits in a new section labelled ‘Compliance’ in your account settings.
Turn this feature on to enable candidates to delete their own data from your records. Having deleted their data, Workable will automatically prevent anyone from your company from contacting the candidate again—unless they choose to apply for another position in the future. This protects you against potential breaches of the right to be forgotten and data retention rules.
The following features help you manage the rest:
- The default customizable application form only requests the basic information required by most hiring teams. This helps meet GDPR’s data minimisation requirement.
- Comply with transparency requirements by using the job editor to add in details of how your organization processes candidate information. Then use email templates and bulk mail-outs to make sure hiring teams share this information consistently and accurately.
- Manage different GDPR compliance requirements directly from the ‘candidate profile’:
- Use the ‘candidate resume download’ button and ‘print profile’ link to action right of access and right to data portability requests.
- With the ‘edit candidate’ option it’s easy to correct inaccurate data, part of the right to rectification requirement.
- You can also delete candidates individually or in bulk, helping you with the right to be forgotten, right to object and data retention rules.
The GDPR Feature Pack for recruiting—automated GDPR compliance tools for maximum support
“Workable’s GDPR support has helped us come up with a process to follow. We’re upgrading to the Pro plan because the level of support it offers in automating a lot of the GDPR requirements. It’s a huge timesaver.”
Esther Smith, Global Head of People at IQPC.
Demonstrating compliance is harder to achieve on an ad-hoc, case-by-case basis if you process higher volumes of data. Or if your operation’s a little more complex; with multiple pipelines, different hiring teams, or a strong focus on candidate sourcing. To meet these challenges we’ve added a package of new, GDPR-specific features to our Pro plan.
From minimizing the risk of storing data illegally to remaining complaint without distorting reports, our new GDPR Feature Pack automates many of the key GDPR requirements for recruiting. It takes seconds to activate and runs by default across your whole account so you can relax and focus your day-to-day attention back on hiring.
GDPR requirement #1—transparency
Activate the GDPR Feature Pack and we’ll provide you with a legally-verified, customizable Privacy Notice to share with candidates. Just add the details unique to your company and save the template. Candidates will automatically receive a copy of this on application. If you’ve already got your own, lawyer-approved policy we can link to that instead.
If candidates have actively applied for a role with you, consent to process their data is implied through GDPR’s legitimate interest caveat. But, if you do want to seek active consent, we can include a check box on every Workable-generated application form.
GDPR has different transparency requirements around sourced candidates. To help meet these we’ll include an automatic email footer linking to your Privacy Notice in your first communication with every sourced candidate.
GDPR requirement #2—right of access and right to data portability
As well as the standard features available on each candidate profile, you’ll also get the option of a ‘Candidate Breakdown Report’. This exports candidate details into CSV format, should any candidates request to see the data that you hold.
GDPR requirement #3—right to erasure and right to object
An opt-out link, automatically included in every application confirmation email, enables candidates to delete their own data. Doing this triggers a set of rules that make it impossible for anyone in your organization to contact them again, unless they apply for a new role in the future. Once deleted, Workable anonymizes the data so that your reports remain accurate.
GDPR requirement #4 —data retention
With GDPR you can no longer store candidate data indefinitely. Activate the options in your Compliance settings and data will automatically delete based on your chosen time frames. For candidates in archived jobs this is based on the date the profile was created. For candidates in active jobs or your Talent Pool, this is combined with a defined period of inactivity. For sourced candidates it’s triggered if there’s no contact within the required period of 30 days. Workable will also send a one-off email to all of your newer candidates—those who fall outside your pre-defined time frame—with links to your processing information. This way, you can be sure you’re starting off on the best footing from day one of activating the feature.
Hiring and compliance tools that go hand-in-hand
If you’re using Workable to manage your hiring you can use it to help manage your GDPR compliance too. As ‘data controller’, ultimate responsibility for compliance rests with you. But these features help you to meet that responsibility with minimal fuss. Find out more about staying compliant in our GDPR checklist for recruiters.
If you’re not using Workable and still struggling with spreadsheets to manage your recruitment, you run a much higher risk of non-compliance with GDPR. A risk that could prove costly if you’re hit with a GDPR fine. Why not have a free GDPR consultation or a demo to see how Workable can help? If you’re in a rush, try our online GDPR Readiness Evaluator. In just 14 questions, see how prepared you are and get some tips on changes you could be making.