How to source candidates in a GDPR-compliant way with Workable
The General Data Protection Regulation (GDPR) is the new European data protection law and it applies to all organisations that process the data of EU residents. To protect people’s privacy, GDPR places restrictions on how you can collect and process personal data. What does GDPR mean for recruiters? By default, the recruiting process relies on processing candidate data, which means that your organisation will need to comply with GDPR. One of the toughest tasks is to make sure the way you source passive candidates is compliant. But this doesn’t mean that you need to stop sourcing, just that you should make some changes to satisfy the GDPR requirements.
Workable itself is a GDPR-compliant vendor. In addition, it provides tools to help with your own compliance. Our GDPR-related features include support for sourcing and the automation of certain tasks, like deleting old candidate data. For sourcing specifically, here’s a breakdown of the features available:
- A template to help you create an effective recruitment Privacy Notice.
- A footer, automatically added to every sourcing email, linking to your Privacy Notice.
- A setting to send an automated bulk email with your Privacy Notice to existing candidates (sourced before the GDPR came into effect).
- A setting to auto-delete the profiles of sourced candidates who haven’t been contacted within a month.
Want to learn how Workable helps your entire recruiting process stay compliant? Get a demo to explore our full GDPR feature pack with functions like candidate consent requests and ways to action the ‘right to erasure’.
How do our GDPR features for sourcing work? Here’s a closer look:
Turn on GDPR settings
Once activated, our GDPR features run by default across your account. Set them up quickly and easily by sliding a single button to ‘On’:
Then, you’ll be able to set a few parameters for auto-deletion and craft your own Privacy Notice.
Privacy Notice template
GDPR places great importance on transparency: organisations must tell people why and how they process their personal data, as well as provide easy instructions for people to exercise their rights under GDPR. You can provide all the required information with a Privacy Notice. If you have one written specifically for your company, upload it to Workable and it will be included in every email, whenever you communicate with candidates. If your organisation doesn’t already have one, no problem. A template is provided by Workable, ready for you to customize.
When you switch on the GDPR features, the first thing you’ll be asked to do is establish the details for your own Privacy Notice:
Fill out the fields to generate a Privacy Notice for your organisation. If you already have one, use the option at the top right “I want to use our existing Privacy Notice.” You’ll be asked to verify that you’re happy with your own document and that it’s legally compliant.
Once you set up your Privacy Notice via the Workable template, you can preview. Here’s what a sample looks like:
You’ll see your notice included in the first email that candidates receive from you – both when they apply and when they’re sourced. For example, a job applicant will receive an automatic “thank you for applying” email that contains a link to this Privacy Notice.
Sourcing email footer
Your Privacy Notice should be sent to all EU candidates on first contact. Candidates who apply to your jobs will receive an automatic email confirming their application. This includes the Privacy Notice as standard.
But sourced candidates follow a different path. They don’t initiate contact with your organisation, so they won’t automatically receive the email with your company’s processing information. This means that you should include your Privacy Notice in your first sourcing emails. Workable helps you do that by automatically including a footer linking to your Privacy Notice when you first start writing an email to the candidate. This helps ensure you’re sending the right information to candidates from the outset, minimising the possibility of error or omission.
Keep in mind that GDPR lets you store sourced candidate data for only a month without contact. If you keep this data longer than that you risk getting a fine. That’s why Workable has built data retention settings.
Data retention
The data retention options play a big part in compliance. Under GDPR, you can’t process candidate data indefinitely. You must also delete candidate data if you haven’t provided your Privacy Notice to the candidate within a month of sourcing their details. But if you’re sourcing multiple candidates, how can you remember to delete their information from your database when the legal period has passed? And how can you stay compliant without losing a huge amount of time manually deleting every candidate?
Workable’s data retention options tackle these issues. There are two sections that you’ll be asked to set up after you’ve created your Privacy Notice:
First, you’ll be able to set the length of time your organization would like to store candidate profiles. Next, you’ll be able to exclude active profiles from automatic deletion. This means that candidates in active jobs and your Talent Pool will not be deleted automatically if there has been any recent activity—like comments, emails or evaluations. You can set the period of time for exclusion.
By turning on the first data retention option, you enable Workable to delete old candidate data automatically. What ‘old’ means is up to you; you’re able to set a specific number of months (which should ideally be less than a year):
This is a way to clean up your candidate database, removing old sourced candidate profiles (and profiles of candidates who applied a long time ago.) If there’s been no recent contact, Workable will automatically delete them to help you remain compliant without any time lost on your part.
You can also enable Workable to delete candidates if they stay in your database for more than a month without receiving your Privacy Notice:
This helps you avoid storing candidate data for longer than the legal period. If you want to keep processing the data of a candidate you sourced, send them your first sourcing email (with the automatic privacy footer) within a month.
Automated bulk email with processing information
Once you turn on your data retention settings, Workable will show you an overview of your candidate database: If you’re new to Workable, then there will be very few candidates that will be affected by the deletion settings. If you’ve been using Workable for some time, then you will have more candidates in your database who will be affected straight away.
This shows how many candidates in your database will be deleted. Also, you can see how many haven’t yet received your Privacy Notice. If you click on “Email them with a link to the new Privacy Notice”, these new candidates receive an automatic email containing your processing information (and can, therefore, remain in your database until they become ‘old’ based on your settings).
Once you’ve turned on the GDPR settings, save the changes and you’re good to go. Our GDPR features will run by default and help you remain compliant when sourcing and recruiting candidates. Your reporting won’t be affected by automatic candidate deletion. This way, Workable provides you with the tools to manage and monitor your recruiting function while minimising the burden of GDPR compliance.