How can your website help you comply with the GDPR?

Every recruitment website should function as a management tool within the new data protection climate

 

Making your recruitment website work hard will help you manage data effectively while protecting the rights of every data subject. 


Following my post before Christmas that highlighted the benefits of embracing the GDPR, this overview, first published in Recruiting Times, recaps on the individual rights under the legislation and, specifically, how your website can support your GDPR compliance.  


The rights are listed below, together with pragmatic advice on what to do now.


1. The right to be informed


The right to be informed is the recruiter’s obligation to provide ‘fair processing information,’ typically through a privacy notice. We recommend that you review your current privacy policies and bring them up to date before the new data protection bill becomes law. They will need to be updated in line with the GDPR, and the Privacy Directive will be specific in this messaging.


What does this mean for me?

  • The onus is on the recruiter to inform individuals of their right to object at the first point of communication - and this can be handled automatically by your website.

  • Version control is critically important when adding and updating your privacy policies, to support pre and post Privacy Directive messaging and show which version of your policy the individual has consented to. This ensures accurate data logging and audit control. 


2. The right to rectification


The GDPR gives individuals the right to have the personal data rectified. If you have disclosed the personal data in question to third parties, you must inform the third party of these changes where possible. You must also inform the individuals about the third parties to whom the data has been disclosed, where appropriate.


What does this mean for me?

  • You must respond to the request and action it within one month.

  • Your website can handle this for you providing the candidate has access to a self-service dashboard that allows the individual to login and manage their own data as they wish.


3. The right to erasure - the right to be forgotten or RTBF


The broad principle underpinning this right is to enable an individual to have their personal data deleted or removed where there is no compelling reason for its continued processing.

 

What does this mean for me?

  • You must respond to the request and action it within one month.

  • This is a request that can be handled by the individual by logging in to their self service dashboard and requesting their RTBF.

  • It’s important that this action is validated, as there may be circumstances where data should be kept (eg where there is a legal duty to keep records).


4. The right to data portability


The right to data portability allows individuals to get hold of and use their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another safely and securely.


What does this mean for me?

  • This right only applies to personal data an individual has provided to a controller and where processing is carried out based on consent or by automated means.

  • You must provide this data free of charge and in a commonly used format.

  • In the Volcanic dashboard, the individual can access and download all their data as a csv file.



5. The right to restrict processing


Individuals have a right to block or suppress processing of personal data. When processing is restricted, you are permitted to store but not further process data.


What does this mean for me?

  • You are permitted to store the data but not further process it, and you may only retain enough information to ensure the restriction is respected in future.

  • One simple way to achieve this in your web platform is to suspend the user. This will prevent any further processing of data relating to that individual.


6. The right to object


Individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official

authority (including profiling), direct marketing or processing for purposes of research and statistics.


What does this mean for me?

  • You must inform the individual of their right to object at the point of first communication, which can be handled automatically by your website once you’ve uploaded your privacy notice.

  • You must stop processing personal data for direct marketing purposes instantly, as soon as you receive the objection.

  • Individuals can be unsubscribed through logging in to their dashboard and withdrawing consent or unsubscribing to email alerts. This should also be able to be managed directly by the recruiter.


7. The right of access - Subject Access Requests or SARs


Individuals have the right to access their personal data and supplementary information, which gives them the opportunity to verify the lawfulness of the processing.


What does this mean for me?

  • You must provide this information free of charge within one month of receiving the request.

  • Your website’s self service candidate dashboard can not only allow every individual to make their own subject access request; it also time and date stamps the request to log and record it, and also allows fully auditable records to be produced if required.


8. Rights in relation to automated decision making


The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. To prevent this, it is important to identify whether any of your processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR.


What does this mean for me?

  • If you use automated decision making, you must declare this as part of your fair processing information or privacy policy.

  • This can be handled by your website at the first point of contact when a new candidate registers.


The GDPR is no cause for alarm. If you’ve conducted a risk assessment and vendor due diligence to ensure your providers are all supporting your compliance, the GDPR represents a great opportunity to get your house in order and demonstrate your candidate-centric approach.

Download your free guide to GDPR for recruitment agencies.