It’s important to be aware that under GDPR:
- Recruitment Marketing is a data processor
- Our customers are data controllers
Alongside being a compliant data processor, Recruitment Marketing provides the tools to allow our customers as data controllers to behave and operate in a compliant manner.
One such tool is the means to enable Candidate anonymization, which when administered effectively, can be used to protect the privacy rights of individual data subjects.
By enabling these options and making sensible choices that suit your company, Recruitment Marketing allows you to be fully compliant with GDPR, in a fully automated way. In true Recruitment Marketing fashion, our goal is for compliance without adding chores or manual tasks to recruiters schedules.
Enabling anonymization for candidates
Recruitment Marketing's Data protection rules works in a similar way to the platform's job routing feature, that is, you can choose to apply different data protection rules to specific subsets of candidates based on their location.
- From the side menu, under Company click Settings.
- Under Web click Data protection rules.
- If GDPR is applicable, click the New button.
The Data protection rule screen displays.
The Data protection rule screen
- From the Type drop down, select one of below:
Note: These are listed in order of priority. For example, where rule sets for both Country AND Continent are in place, when a candidate visits from that country and continent, they will be subject to the Country rule set only.
- Country - This enables a specific set of data protection rules for all candidates in a specific country.
- Political - This enables a specific set of data protection rules for all candidates in the European Union.
- Continent - This enables a specific set of data protection rules for all candidates on a specific continent, for example: Europe, Asia, or North America.
- Default - This set of data protection rules will apply to all those candidates who fall outside of the rules set above. If selected, all settings are commonly off with rules then applied for candidates in specific countries or regions.
- Make the appropriate selections regarding Honor Do not Track and Cookie Consent Required.
Note: If a candidate has Do Not Track (DNT) enabled on their browser, this will be interpreted (in compliance with GDPR) as actively not consenting to tracking cookies. The Recruitment Marketing hosted website will operate as if consent was denied by a candidate from a cookie consent message, i.e. the Recruitment Marketing hosted website will continue to work. However, no candidate tracking will take place. The visit will not be recorded against the candidate’s CRM record.
- Select the Hide consent fields in Calls-To-Action checkbox if necessary.
- Candidate must click a button to close consent modal if you want to ensure that the candidate makes a definitive selection when presented with the consent modal.
Cookie consent text - On initial visit to a Recruitment Marketing hosted page, a GDPR compliant cookie consent message displays, requesting consent for use of all three cookies listed at the top of this article.
The content of the GDPR compliant cookie consent message is configurable in this text field. Enter your message and be aware that as data controllers, customers are responsible for ensuring that messages are compliant with GDPR regulations.
Show cookie management options to candidates - Candidates accessing client careers sites the first time, or in a new browser, can be prompted with a cookie consent dialog. Select this checkbox to configure cookie descriptions and for candidates to manage which cookies they agree to.
Recording a candidate's location - This allows for the ability to identify a candidate's approximate location based on their IP address.
- Always - Always record a candidate's location against their candidate events, regardless of whether they clicked "I Agree" on their most recent cookie consent.
- With their consent - Only record a candidate's location against their candidate events if they clicked "I Agree" their most recent cookie consent.
- Manually added candidates that match this rule should default to - This relates to email notifications, for example, email campaigns that a company might send to candidates in bulk. In this case, where a manually-added candidate matches the rules set for a GDPR-applicable country, for example, that candidate should default to "unsubscribed."
- Determine the thresholds for anonymization of candidates.
- Candidate added auto anonymize policy days - This will apply to candidates who have entered into the CRM themselves, i.e. they have completed a Recruitment Marketing call-to-action. Please enter the number of days that must pass with no candidate interaction before that candidate is anonymized. We recommend a minimum period of 730 days / 2 years based on the valid reason that companies need to store candidate information for some time due to candidates tending to interact with careers content over considerable lengths of time.
- Company added auto anonymize policy days - This will apply to candidates who have been added into the CRM by the company via manual import. For this, we recommend a period of 30 days.
- Additional dropdown fields (if enabled):
- Should honour anonymisation policies? - should be set to "Only when a candidate has no associated ATS ids" if the customer is using the available candidate annonymisation API to manage the deletion of candidates who also exist within another system of record such as their Applicant Tracking system.
- Additional checkboxes:
- Notify privacy contact about:
- Candidates who have requested anonymisation - Under GDPR regulations a candidate can withdraw consent at any time. As part of this “right to be forgotten,” a company can choose to have a notification sent to the company contact indicating that a candidate has gone through the “right to be forgotten” process.
- Inbound candidates who get anonymised automatically - in this context, inbound implies candidates who have entered the CRM organically (e.g. by applying for a job or completing a CTA). A notification can be sent to the privacy contact when these candidates are automatically anonymised by the data protection rules.
- Outbound candidates who get anonymised automatically - in this context, outbound implies candidates who have been added to the CRM via non organic methods (e.g. via a CSV import, and manually added by a recruiter). A notification can be sent to the privacy contact when these candidates are automatically anonymised by the data protection rules
- Notify company contact about candidates that perform anonymization process - Under GDPR regulations a candidate can withdraw consent at any time. As part of this “right to be forgotten,” a company can choose to have a notification sent to the company contact indicating that a candidate has gone through the “right to be forgotten” process.
- Allow candidates anonymize themselves - On Recruitment Marketing, a candidate can view and adjust their consent preferences from their “My Settings” screen at any time. Please ensure that a link to 'My Settings' is visible on your careers site; if it is not, please contact PageUp.
- Allow candidates export their data - GDPR regulations allow candidates to request their data in a "machine-readable" format. With this option enabled, you will be able to fulfil this requirement for candidates automatically. As this option lives on the candidate's "My Settings" screen, please ensure that a link to the 'My Settings' screen is visible on your careers site; if it is not, please contact PageUp.
- Notify privacy contact about:
- Click Save to keep the settings.