Data Protection Rules & Candidate Anonymization

Recruitment Marketing Public

Introduction

It’s important to be aware that under GDPR:

  • Recruitment Marketing is a data processor
  • Our customers are data controllers

Alongside being a compliant data processor, Recruitment Marketing provides the tools to allow you, as data controllers, to behave and operate in a compliant manner.

One such tool is the means to enable Candidate anonymization, which when administered effectively, can be used to protect the privacy rights of individual data subjects.

By enabling these options and making sensible choices that suit your company, Recruitment Marketing allows you to be fully compliant with GDPR, in a fully automated way. In true Recruitment Marketing fashion, the goal is for compliance without adding chores or manual tasks to recruiter's schedules.

Enabling data protection rules

Recruitment Marketing's Data protection rules work in a similar way to the platform's job routing feature, that is, you can choose to apply different data protection rules to specific subsets of candidates based on their location.

  1. From the side menu, under Company click Settings.
  2. Under Web click Data protection rules.
  3. A summary of any existing data protection rules, including the default rule which is automatically included with each new company, will be listed.


     
  4. To edit an existing rule, click the Edit (pencil) icon, otherwise, to add a new rule, click the New button.

Configuring data protection rules

Constraints

The first step in configuring the data protection rule is to define the geographical region to which this particular rule should apply.

From the Rule type drop down, select one of below:

  • Country: This enables a specific set of data protection rules for all candidates in a specific country. When this type is selected, you will need to select a country from the Country drop down which is shown. Additionally, if you select "United States", a Region drop down will be shown, allowing you to select either "All" or a specific US state or territory.
  • Political: This enables a specific set of data protection rules for all candidates in the European Union.
  • Continent: This enables a specific set of data protection rules for all candidates on a specific continent, for example: Europe, Asia, or North America.
  • Default: This set of data protection rules will apply to all those candidates who fall outside of the rules set above. If selected, all settings are commonly off with rules then applied for candidates in specific countries or regions.

Note: These are listed in order of priority. For example, where rule sets for both Country AND Continent are in place, when a candidate visits from that country and continent, they will be subject to the Country rule set only.

Browser cookies and tracking

Next, you will need to determine the type of cookie consent that is required from the candidate when they visit the career site for the first time within the constraint applied in the first step.

Performance cookies are used to track the visitor's activities on the career site. The tracking data is used to provide data to enabled enhanced career site functions such as recommended jobs, as well as forming the underlying analytics data used to provide the marketing insights reporting.

If a visitor chooses to reject performance cookies, they will still be able to interact with the site, but their experience may be degraded. For example, the recommended jobs will not be tailored to their browsing behaviour.

Supported consent types are:

  • No cookie consent required: No consent is requested from the visitor, and their activity on the career site is tracked as per the other settings defined within this data protection rule
  • Explicit cookie consent required: The visitor is prompted to grant explicit consent to allow performance cookies. The consent is requested via a modal dialog, which must be actioned prior to the visitor being able to interact with the career site content. No activity is recorded for that visitor prior to them accepting the performance cookies.
  • Implicit cookie consent: The visitor is advised of the use of performance cookies on the career site via an informational banner which appears at the bottom of the page. The banner provides visitors with the option to allow all cookies or to just allow essential cookies. The visitor is able to interact with the career site content, including navigating to other pages within the site, prior to making any specific selection. The visitor's activity on the site is tracked until such time as they explicitly disallow performance cookies by clicking the Reject performance cookies button.

Additionally, you can choose whether to Honor Do not Track signal from browsers.

Note: If a candidate has Do Not Track (DNT) enabled on their browser, this will be interpreted (in compliance with GDPR) as actively not consenting to performance (tracking) cookies. The Recruitment Marketing hosted website will operate as if consent was denied by a candidate from a cookie consent message.

Recording a candidate's location: This allows for the ability to identify a candidate's approximate location based on their IP address.

  • Always - Always record a candidate's location against their candidate events, regardless of whether the accepted performance cookies are on their most recent cookie consent.
  • With their consent - Only record a candidate's location against their candidate events if they accepted performance cookies on their most recent cookie consent.

Explicit cookie consent required

When this cookie consent type is selected, the following configuration options become available:

  • Candidate must click a button to close consent modal: If you want to ensure that the candidate makes a definitive selection when presented with the consent modal.
  • Cookie consent text: This is the text that is shown on the GDPR compliant cookie consent message, requesting consent for the use of cookies listed at the top of this article. The content of the cookie consent message is configurable in this text field. Enter your message and be aware that as data controllers, customers are responsible for ensuring that messages are compliant with GDPR regulations. It's recommended that you enter your company's privacy policy that is linked to cookie consent text, as per the example below.
  • Show cookie management options to candidates: The options available to visitor on the cookie consent message will be different depending on the selection made here.
      • If selected, the visitor will be presented with "I accept" and "Manage cookies" options
      • If not selected, the visitor will be presented with "I accept" and "I do not accept" options

When the Show cookie management options to candidates is selected, the following options become available to configure the "Cookie Management" dialog which appears when the visitor clicks on "Manage Cookies".

  • Cookie management preamble: This is an additional text which appears below the cookie consent text when the "Cookie Management" dialog is shown.
  • Strictly necessary cookie description: The text shown to describe the strictly necessary cookies can be customised here.
  • Performance cookie description: The text shown to describe the performance cookies can be customised here.

Implied cookie consent

When this cookie consent type is selected, the following configuration options become available:

  • Implied consent footer cookies preamble: This is the text that appears on the informational banner presented to the visitor at the bottom of the page.
  • Reject performance cookies button text: This is the text that appears on the button which allows the visitor to just accept strictly necessary cookies.
  • Accept cookies button text: This is the text that appears on the button which allows the visitor to accept all cookies.

Note: To display the implicit consent footer dialog all career site pages must be built with a theme using Bootstrap 5 or above.

CTA, forms & manually added candidates

This section determines how this data protection rule behaves in terms of a number of related activities.

  • Select the Hide consent fields in Calls-To-Action checkbox if necessary.
  • Display consent modal on external widget pages should be selected if appropriate.
  • Manually added candidates that match this rule should default to: This relates to email notifications, for example, email campaigns that a company might send to candidates in bulk. In this case, where a manually-added candidate matches the rules set for a GDPR-applicable country, for example, that candidate should default to "unsubscribed."

Candidate anonymisation

Finally, these settings define how candidates who fall under this data protection rule should be managed:

  • Candidate added auto anonymize policy days: This will apply to candidates who have entered into the CRM themselves, i.e. they have completed a Recruitment Marketing call-to-action. Please enter the number of days that must pass with no candidate interaction before that candidate is anonymized. We recommend a minimum period of 730 days / 2 years based on the valid reason that companies need to store candidate information for some time due to candidates tending to interact with careers content over considerable lengths of time.
  • Company added auto anonymize policy days: This will apply to candidates who have been added to the CRM by the company via manual import. For this, we recommend a period of 30 days.
  • Should honour anonymisation policies?: Should be set to "Only when a candidate has no associated ATS ids" if the customer is using the available candidate annonymisation API to manage the deletion of candidates who also exist within another system of record such as their Applicant Tracking system.
  • Notify privacy contact about:
    • Candidates who have requested anonymisation: Under GDPR regulations a candidate can withdraw consent at any time. As part of this “right to be forgotten,” a company can choose to have a notification sent to the company contact indicating that a candidate has gone through the “right to be forgotten” process.
    • Inbound candidates who get anonymised automatically: In this context, inbound implies candidates who have entered the CRM organically (e.g. by applying for a job or completing a CTA). A notification can be sent to the privacy contact when these candidates are automatically anonymised by the data protection rules.
    • Outbound candidates who get anonymised automatically: In this context, outbound implies candidates who have been added to the CRM via non organic methods (e.g. via a CSV import, and manually added by a recruiter). A notification can be sent to the privacy contact when these candidates are automatically anonymised by the data protection rules
  • Allow candidates anonymize themselves: On Recruitment Marketing, a candidate can view and adjust their consent preferences from their “My Settings” screen at any time. Please ensure that a link to 'My Settings' is visible on your careers site; if it is not, please contact PageUp.
  • Allow candidates export their data: GDPR regulations allow candidates to request their data in a "machine-readable" format. With this option enabled, you will be able to fulfil this requirement for candidates automatically. As this option lives on the candidate's "My Settings" screen, please ensure that a link to the 'My Settings' screen is visible on your careers site; if it is not, please contact PageUp.

Adding a manage preferences link

You can add a link to the pages of your career site to allow visitors to manage or amend their cookie preferences at a later date.

This link, which would normally be placed in the footer of the page theme, will launch the appropriate cookie preference options based on the configured data protection rule.

<p><a href="#showManageCookiesDialog" id="show_manage_cookies_dialog">Manage Cookies</a></p>

The actual text for the link can be amended to your preference, but the HREF and ID need to be included as shown above.

Comments

0 comments

Article is closed for comments.