What does a GDPR-compliant website look like?

There’s been a lot of discussion around the GDPR and, at Volcanic, we’ve been heading up the thought leadership in this space. Being leading edge has drawn some blood - as not everyone supports our belt and braces approach.

We may not be 100% on the mark, of course - not even the ICO is there yet - but we decided to develop and deploy our GDPR-compliant solutions well in advance of the May 2018 deadline, available to support all our recruitment clients.

So let’s put our money where our mouth is and show you our solution.

 

New platform updates

At Volcanic, we’re committed to the development of new technology to keep all our customers’ websites current. We continually update our platform with regular feature releases and new functionality updates - all as part of our Software as a Service model.

Here’s an update on some of the upgrades that will be implemented over the next few months.

 

GDPR-compliant candidate dashboard

With our GDPR preparations having started around six months ago, it will come as no surprise that our new GDPR-compliant dashboards will soon be released across our entire platform, upgrading all our client’s websites well in advance of the May 2018 deadline.

We’ve taken our system back to its roots to redesign a platform build with the core GDPR principles of Privacy by Design / Privacy by Default in mind.

Our new candidate dashboards include all the various candidate rights required by the regulation, summarised below:

 

Candidate everything

We’ve put the candidate first in the design of our solution, producing a dashboard that helps meet the draft requirements while remaining focused on real people and their individual rights:

 

Right to be forgotten

There is an area within the dashboard where the candidate can request the right to be forgotten (RTBF). We time and date stamp this request and add it to a request log. Because there are 30 days to respond, the request is sent directly to our client’s GDPR representative or DPO, if they have one, for approval. Once approved by the designated representative, the request will then be actioned and the data deleted from the website. We will be able to provide an audit report of this process on request - as mandated by the legislation.

Screen Shot 2017-10-24 at 15.31.23.png

Screen Shot 2017-10-24 at 15.31.49.png

 

Right of Access (Subject Access Request)

We record the date when the request is made then pass the request to the GDPR representative or DPO, with the requestor’s time-stamp and reminder system.

 

Screen Shot 2017-10-24 at 15.36.05.png

 

Right to amend

Within the dashboard we provide all the candidate’s data we hold on the site and the candidate can then modify or delete their data as they require.

 

Right to withdraw consent

We have an area where candidates can both opt-in and opt-out of the requested consent. The various consents required by the GDPR are explicit, clear to understand and can be controlled by the candidate. They decide what they want to consent to and when. Remember, candidates have different needs throughout their career journeys. Volcanic keeps a record of this consent, any changes in this consent and the versions of consent that were agreed to. Remember, consent requirements will no doubt change as the legislation is embedded. Again, all of this is recorded for audit purposes.

 

Screen Shot 2017-10-24 at 15.44.33.png

 

Right to Data Portability

We allow the candidate an area to download their data either as a CSV or Excel file.

 

Screen Shot 2017-10-24 at 15.37.48.png

 

Security

 

Security is a right that all candidates are entitled to - the right for their data to be protected. Within the GDPR it is stipulated that all reasonable precautions are taken, which is something that runs throughout our entire business. We take security very seriously.

We are currently completing our accreditation for ISO 27001 and have built a security centre on our platform that demonstrates our security precautions. This centre provides full accountability for our security work and demonstrates the results of any pen testing we do.

 

Screen Shot 2017-10-24 at 15.47.49.png

 

Under the GDPR, if you have a security breach there are certain rules about notification that need to be followed. We have built these rules into or system so that all our clients are empowered to comply accordingly.

 

Volcanic is supporting the recruitment industry towards GDPR compliance ahead of the May 2018 deadine. Download your free guide to GDPR for recruitment agencies.