- 22 May 2018
- 6 min read
GDPR Frequently Asked Questions
For the purposes of being even more helpful, I thought you might like another blog that compiles all these questions-and-answers in one place.
We've been asked a lot of specific questions about GDPR since January.
Many of them were answered in our first GDPR blog.
That blog explained our journey to GDPR compliance over the last year.
Many of you have emailed me to say that you found that first blog useful.
Great, and thanks!
So, for the purposes of being even more helpful, I thought you might like another blog that compiles all these questions-and-answers in one place.
"What have you actually updated on the sites for GDPR?”
3. CV Visibility
We’ve made it even more clear that candidates can make their CV visible or hidden
We’ve added tick boxes and beefed up our explanatory wording to be sure we’re getting permission to:
• store a candidate's details
• send a candidate emails
• send a candidate's application to you (including wording about possible automated 'processing')
• let you browse for and find a candidate's CV in our database
5. Transparency, Help and Disclosure
• We're making it very clear candidates can edit their own account
• We’re going to send candidates email reminders about their account with us
• We’re going to remind candidates if their CV is visible
• We’ll remove CV Profiles after 5 years if they're not being used
• We’ll remove CV Profiles if someone's email stops working
“I called a candidate and they said they didn’t give Niche Jobs permission to have their CV”
Candidates are asked about this during their first application and when they register without applying.
So, it is going to be one of two factors: memory or confusion.
We are going to create more automated emails that get triggered to remind them.
So that answers the memory factor.
There is also an area of confusion that you can help us with.
We’ve discovered (because some of the candidates call us about this) what the cause of this commonly is.
It can be caused by the confusion of recruiters calling us one thing, and candidates knowing us as something else.
Let me explain….
It’s really important that candidates you speak to know how you got their details.
Sure, you got it from Niche Jobs.
That’s our limited company name.
That's how you know us.
But candidates don’t browse for jobs or register with a site called “Niche Jobs”.
They know us as nurses.co.uk or socialcare.co.uk or healthjobs.co.uk or healthcarejobs.ie.
Many have not even heard of Niche Jobs.
So, when you speak to them, be sure to mention our sites. That way they won’t sound surprised about you calling!
“Do you have a Data Protection Officer?”
Yes, it’s me, Matt Farrah.
“Can you send copies of your current data protection policies for customer data?”
This is a very broad subject as this is what GDPR is about!
“Can you provide details of the processes you have in place to achieve GDPR compliance in time for 25 May 2018?”
Working with our data protection lawyer we have:
• Cookie statement updated
• Have a Data breach procedure and individual rights request procedure
• Agreed and implementing new retention and sunset policies
• Updates to our site to enforce clearer consents for candidates which also clarify how their data will be used by us and third parties
• Consent for application and CV view
• Security measures statement
"Where is our data physically stored?”
The jobs you post and email addresses are stored on our Rackspace servers.
We also have email addresses and invoices for you which are stored on xero.com.
Email addresses and phone numbers are stored on our client management system, BigContacts.com.
“How do you manage data retention periods?”
We decide what is appropriate and technology will automatically remove candidate data.
“What happens to our own data at the end of the contract period?”
Do you mean the jobs you post and the email addresses of your staff?
That is up to you.
It is not visible, but your jobs are kept on our servers unless you delete them.
We also use BigContacts where we store your email address and phone number.
That way, we can stay in contact with you and know the arrangement you were on last time.
So when you are ready to use us again, one of us can pick up from where we left off!
“In what format/medium is the archived information stored and for how long before destruction?”
“Please list any 3rd party organisations you work with.”
"What action have you taken to ensure that any 3rd parties you use will be compliant with GDPR by 25 May 2018?"
Our lawyers have contacted our service providers over the last 12 months to either make sure their own Terms and Conditions are compliant or have requested them to be sent where it is not publicly available.
"You have CVs going back many years, that we as an agency can access. I am interested to know whether you are proactively contacting all of these candidates (some of whom definitely don’t know their details are still on there when we speak to them) to see if they are happy to still be on your database? If not what advice have you been given that means you don’t have to do this. I am sure you are as concerned as we are not to lose 000’s of candidates off of a database so wondered how this was being managed."
Until May 25th 2018 we were required to be compliant with the Data Protection Act 1998.
The consent requirements in place on the site are consistent with this.
We have always made it clear to jobseekers that they are applying for a job and given them an option to also show or hide their CV to hiring organisations.
So in that respect, not all of this is new.
The GDPR was designed to tighten up these existing data protection rules.
So, in line with that we are now giving users more control and making consent even more clear, and we are building in retention periods.
We have added a new tick box too - to make sure they are happy for us to store their information.
The site and the policy make it clear that unless they show they are actively using it, we will completely remove their profile after 5 years.
What's more, after some months, if they are not using their account, we will hide their CV from view.
Further, within that time, we'll email them to let them know about the service.
Plus, if their email 'hard bounces' their account will be removed.
Finally, as always, you can order your search results based on 'Last logged in'.
We recommend this. It will mean you can focus on those that have recently been active.
Oh, and be sure to refer to the site names - Nurses.co.uk, Socialcare.co.uk, Healthjobs.co.uk or Healthcarejobs.ie!
a) explain we will store their details
b) go into more detail about 'processing' of data that may be used by 3rd parties so that they can automate the shortlisting process
c) built in retention features As is the case currently, whether they wish their CV to be included in the search remains optional and they opt in / out at any time
“Where do we stand with regard to contacting candidates after May 25th 2018?”
You can still contact candidates after May 25th.
GDPR was not designed to stop digital recruitment in its tracks!
GDPR, instead, wants companies to make it clear what they are doing with data, provide access to that data, put processes in place for when a breach occurs and put systems in place so that data isn't stored for longer than is deemed necessary.
Candidates you see on the search have seen the consent tick box before submitting.
In line with GDPR we've made it even clearer (clearer consent and opt-ins and wording), as well as reminders by email about their account details we have.
"Did you make sure you emailed your mailing list to ask for their consent again?"
No. That's not a requirement of GDPR.
Although in the days leading up to May 25th I received tens of emails asking me to do this.
Frankly, they were ill-advised as this article from The Guardian suggested.