Terminology
GDPR: General Data Protection Regulation
Data Controller: This is you, the in-house recruiter/employer. You control the purposes for which the Candidate data is processed. It is your responsibility to ensure that the ATS you work with can be configured to be GDPR compliant and to ensure your account is configured in a way that is GDPR compliant. BrightMove is supplying our customers with a checklist (below) to allow you to confirm your account settings are GDPR complaint.
Data Processor: This is the ATS provider, in this case BrightMove, since we process Candidate data on your behalf.
GDPR Compliance
Our technology is flexible enough for our customers to make adjustments to existing accounts so they can be GDPR compliant. Accounts are not necessarily GDPR compliant "out-of-the-box". You should review the compliance rules and features inside your account to ensure the proper settings are enabled. The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behavior of EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
While BrightMove can't provide legal guidance on the GDPR rules, we do support customers with questions on how to achieve certain settings or account preferences. You can contact us at support@brightmove.com for assistance if needed.
Below is an ATS checklist of how to achieve account settings that enable you to be GDPR compliant from an ATS perspective. GDPR went into effect on May 28th 2018.
- Process candidate data only according to documented instructions from the controller(s).
- Implement necessary measures to safeguard the candidate data, including:
- The encryption or pseudonymization of candidate data.
- The ability to maintain a high-quality processing system and service.
- Regular testing and evaluating the measures to ensure the security of the processing.
- Delete or return all candidate data to the controller(s) on request.
- Demonstrate the ATS’ compliance with the GDPR to the controller(s). We cannot guarantee compliance as a user can affect settings in such a way that could make the account non-compliant but we do give you the tools you need to make the account compliant. See The GDPR Checklist for Customers below on some areas you should pay attention to and possibly set up.
GDPR Compliance Checklist for BrightMove Customers
We have compiled some items we know you will need to manage within your account in order to be GDPR compliant. This checklist is not necessarily a complete list and is not legal advice so please consult your Legal resources to ensure your compliance.
1. Give Candidates access to self-serve (manage/edit their profile information). You can allow this by going to Settings > Candidate Experience Portals screen. From there, you can select Manage Security from the More button drop-down.
This is where you decide what the Candidate is allowed to see and what they can manage about themselves. You should enable the following permissions to allow Candidates to edit their own info and all other permissions in the list are optional if you wish to grant them access to those areas.
-
- Access Candidate Module
- View Candidate
- View Candidate Resume
- Add Candidate Resume
- Edit Candidate Resume
- Candidate EEOC (if you ask this)
- Access Tools Module
- View My Profile
- Upload Applicant Attachment
- View Applicant Attachments
Click Save at the bottom or top right to save your settings.
2. Create Terms & Conditions (T&C) for your portal application & Candidates added by employees. There are two steps you need to follow to complete this requirement.
-
- You can do this in Settings > Candidate Experience Portals click the Portal Title link (far left) and scroll down to the section titled "Applicant Terms and Conditions". This is where you place your Terms & Conditions and GDPR verbiage you need so when a Candidate applies to a job, they must click the box agreeing to those terms to submit the application. However any Candidates your users/recruiters/sourcers created and/or match to a job have not agreed to the T&C so see the 2nd step below on how to satisfy that scenario.
-
Create a BrightForm that contains your Terms & Conditions on it. BrightForms allow you to create custom forms that can be assigned manually to Candidates and/or can be automated into your submittal workflow statuses.
BrightForm assignment will email the Candidate that they have a form to fill out, they log into your job portal and fill out/ agree to the form. When they save it, the form is saved to the Candidates profile as a PDF attachment automatically for you. If the Candidate is submitted to a job, once the form is completed, we can even automatically change their submittal status to your specified "Next Step" to help your users/recruiters know the Candidate has consented and continue them through your workflow.
A single BrightForm only costs $29.00 per month and will allow you to gain the Candidate consent you need. Please email support@brightmove.com to add a BrightForm if you need this compliance proof. - Perform an email campaign with an Email Template to gain Opt-In or Opt-Out from Candidates who qualify under the GDPR protections. This option is free and you use Power Search to identify these people, put them into a Folder and mass email the entire folder. As people respond, you can set the correct answers in their profile and remove them from the folder so over time, only people who have not responded remain in the folder for follow up emails to try to obtain the information.
- You can do this in Settings > Candidate Experience Portals click the Portal Title link (far left) and scroll down to the section titled "Applicant Terms and Conditions". This is where you place your Terms & Conditions and GDPR verbiage you need so when a Candidate applies to a job, they must click the box agreeing to those terms to submit the application. However any Candidates your users/recruiters/sourcers created and/or match to a job have not agreed to the T&C so see the 2nd step below on how to satisfy that scenario.
3. View Legal Basis tab on the Candidate and Manager profiles for you, the Controller, where you can indicate your legal basis for having the Personal and Sensitive Personal data sets.
4. Identify and Delete bad data like old candidate records, incomplete records, or people you no longer work with. If you keep people who qualify for GDPR protections for who you do not have consent, use step 2 above to gain consent from them to use their data otherwise you must delete them.
5. Processor Security Measures- Nothing to do here but an FYI for you. Our database resides in Amazon Web Services (AWS) RDS in the US East (N. Virginia) data center, utilizes a private VPC and is not publicly accessible. Data is encrypted at rest (http://docs.aws.amazon.com/kms/latest/developerguide/services-rds.html) using AWS Key Management Services. (https://aws.amazon.com/kms/ and the Database has Multi AZ failover. (http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html).
This is not a complete list of your legal responsibilities so please review your settings and compliance to ensure you meet the requirements if applicable. If you need help setting something up, please don't hesitate to contact support@brightmove.com and we'll be happy to advise you on how to create any of the items listed above!
Resources
Below are some websites that you may find helpful to understand the full scope of the GDPR rules and expectations:
https://www.gdpreu.org/the-regulation/key-concepts/data-controllers-and-processors/
Information Commissioners Office (UK): https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr
https://blog.wcnsolutions.com/gdpr-impacting-ats
Comments
Article is closed for comments.