Skip to main content
SmartRecruiters

Compliance and GDPR Tools for Companies

Included in:
  • SmartStart
  • SmartRecruit

 

SmartRecruiters is committed to helping our customers ensure compliance with regulations. Our GDPR compliance tools provide the ability to manage candidates' personal information and consent to the use of that information for recruiting purposes. 

Introduction

SmartRecruiters' GDPR tools helps companies to:

SmartRecruiters also helps companies ensure compliance by providing candidates with the tools to manage their applications, personal information and consent.

Setting up Compliance Configurations

Under “Settings > Administration > Global Compliance”, you can setup your default compliance settings where you can control:

Candidate's right of data erasure

How you would like to manage a candidate initiated request to delete their profile.

The second option (where the administrator reviews the request) requires that the candidate has job application(s). For instance a candidate who only has a community application - via filling out a lead capture form - will not be able to request erasure.  

Privacy Policy Sentence

The wording you would like to use when your privacy policy is displayed at the end of a job application. These options will depend on whether the customer chooses a single or separated consent approach. More on this later. The below wording is an example of single consent. 

clipboard_efd936148a2dda704a07d3abb37eb85c4.png

Default and Country level policy settings

You can make changes to the below fields in your Global Compliance settings:

  1. Data Retention : how you would like to treat candidates that have either been rejected, withdrawn, removed from the job or hired

  2. Privacy Policy : adding a URL link of your company privacy policy

  3. GDPR settings : toggle to remove candidate's application if they do not provide consent within 30 days of a request.

By default, SmartRecruiters adds a default configuration ruleset to your account, and will apply these default compliance rules to jobs in any country for which you don't set up a specific configuration.  

You can also add country-specific configurations with differing privacy policies and data retention periods.

Screen Shot 2020-04-22 at 9.38.41 AM copy 2.png

SmartRecruiters will use a job's location to determine which configuration applies to that job.

  • If you post jobs in only one country, either modify the default configuration, or just set up a new configuration for that specific country.
  • If you post jobs in more than one country, it's a good idea to set up a configuration for each country.

Kindly note that any changes to the GDPR settings does not retroactively apply to consents that have been sent to candidates. Please ensure you take the necessary steps to manage candidates accordingly based on the changes made.

Configuring candidate consent

Consent best practice recommends that separate data scopes have separate consents which allows candidates to control how their data is used in alignment with GDPR. The data scopes align with SmartRecruiters modules:

  • SmartRecruit job applications
  • SmartCRM communities and
  • SmartMessage - both SMS and WhatsApp.

Customers will select the consent approach which best meets their business needs - these are categorized as “single consent” and “separated consent”. 

Single Consent

Candidates will see a single checkbox, privacy statement and a link to the customers’ privacy policy regardless of how many data scopes (SmartRecruit, SmartCRM, SmartMessage) the customer has. When a candidate ticks the checkbox, s/he is consenting to all data scopes. It is not possible for the candidate to consent to some but not others. 

Separated Consent

Candidates will see multiple checkboxes alongside multiple privacy statements and a link to the customers’ privacy policy. The visibility of checkboxes and privacy statements will depend on which modules the customer has enabled - if a customer has SmartRecruit and SmartCRM then only those checkboxes and privacy statements will be visible.

Changing the consent model

Single consent is the default setting. 

  1. Administrator selects the Company Policy tab within the Global Compliance setting.

    clipboard_e1613d0893144310a15094332f7c43e8b.png

  2. Administrator decides whether to change the consent model. If SWITCH TO SEPARATED CONSENT is clicked, then a warning appears along with the privacy policy sentences which need to be reviewed.

    clipboard_ed19b456c298a4e8188320b0eaf2744e3.png

  3. Administrator saves the changes. 

Obtaining candidate consent

There are four ways to obtain consent from your candidates:

  1. Default or country level privacy policy settings

    Once setup, all Candidates who apply to a SmartRecruiters job ad or who fill our a Community Lead Capture Form will see a check box at the bottom to review and consent to your privacy policy. The below screenshots align to single consent. 

    Default, when nothing is configured With the privacy policy set up
    clipboard_e18cf24bb70b97cffe3faea25e35adcaa.png clipboard_e07ff897d6abda436d91cc91bf94147dd.png
  2. Recruiter uploads a resume into the system

    System identifies if the candidate already exists in the system. If yes, it will pick up the same consent status as the existing candidate profile.

    If a new profile is created, then consent will be required and the recruiter will need to send the consent request to the candidate via SmartRecruiters (details below under managing candidate consent).

    This is the SmartRecuirters default template that the candidate will receive:

    For jobs with GDPR settings turned off: For jobs with GDPR settings turned on:

    Hi [Candidate First Name] [Candidate Last Name],

    We’d like to consider you for employment at [Company name]. Your privacy is important to us, so please review our privacy policy and confirm that we may use your information for recruiting purposes.

    [Review policy] 

    You can view, update, or delete your profile at any time.

    Thank you,

    [Company] Recruiting Team”

    Hi [Candidate First Name] [Candidate Last Name],

    We’d like to consider you for employment at [Company name]. Your privacy is important to us, so please review our privacy policy and confirm that we may use your information for recruiting purposes. If you do nothing, your profile will be deleted in 30 days.

    [Review policy] 

    You can view, update, or delete your profile at any time.

    Thank you, 

    [Company] Recruiting Team

    These templates are configurable under “Settings > Templates > Custom Consent Request

  3. Employee refers a candidate to a job in your company

    Referrer is asked to confirm that they have permission from the candidate to submit their information prior to submitting a referral.

    Once the referral is made, the candidate is added in the Lead status to a job, and will receive the following email:

    For jobs with GDPR settings turned off: For jobs with GDPR settings turned on:

    Dear [Referral First Name] [Referral Last Name],

    [Referrer First Name Referrer Last Name] referred you to the position of [JobTitle] in[JobLocation] at [Company]. If you're interested in the position, you can apply by viewing the job ad here [link] and clicking "I'm Interested".

    Thank you,

    [Company] Hiring Team

    Dear [Referral First Name] [Referral Last Name],

    [Referrer First Name Referrer Last Name] referred you to the position of [JobTitle] in[JobLocation] at [Company]. If you're interested in the position, you can apply by viewing the job ad here [link] and clicking "I'm Interested".  If you do not, your information will be deleted from[Company] in 30 days.

    Thank you,

    [Company] Hiring Team

  4. Application API

    Companies and partners who have built a custom application experience using our Application API should ensure that they present candidates with the appropriate privacy policies and collect the candidate’s consent. Make sure to align the integration according to whether single or separated consent is selected in configuration. Also make sure to specify the candidate’s consent by setting the consent property to true in a POST request to the /postings/:uuid/candidates endpoint. The property is false by default.

Kindly note the retention period of each application is based on the GDPR setting used at the time the consent is sent. 

For example, if the GDPR setting is turned on when the consent is sent to the candidate, the candidate profile will still be deleted after the retention period if no consent is obtained even if the GDPR setting was changed to off within that period.

Managing Candidate Consent

Consent is stored on the candidate profile - not on each application. Recruiters can view consent status from next to the candidates’ name. 

clipboard_eb59868c2a7b5ccb0dc0f057a6ae51f11.png

Clicking on the icon displays a modal which shows off consent statuses and pending consent requested date (if a consent request has been sent recently). The modal also allows the user to request a new consent if required. Doing so sends the candidate an email - which is no different than the existing feature.

clipboard_e491713c5befafdf7a7a383ad1aa1eed5.png

Candidates who’ve applied numerous times, to different jobs at your company, will provide consent on each application. You’ll be able to see the date for the most recent record of collected consent. 

Candidates can withdraw consent from a particular company at any time.

Anyone with the permission to do so (as defined in the custom hiring team roles)  can request consent by clicking “Request Consent” on the candidate’s profile, triggering an email to be sent to the candidate.

It's important to remember that consent is associated with a candidate's profile, not their applications. If the candidate has already consented, there's no need to re-request consent when adding the candidate to another job.

Managing Candidate Response  

If the candidate accepts the consent request, this sets the date of the latest consent on their profile.  This consent date is visible to users with access to any of the applications of this candidate.

For jobs with GDPR setting turned on, if the candidate does not respond OR declines to grant consent within 30 days from the consent request date, their profile, including all applications associated with that candidate, can be removed from the system or removed from the module. The outcome depends on whether the candidate provided consent in the past. Please refer to the table in the FAQ for a breakdown. 

When a candidate’s application is deleted, the system sends notifications to the Recruiters assigned to the hiring teams of the roles where the candidate had an application. If there are no Recruiters then emails are not sent.

Find out more on the process of Automatically Removing Candidate Data.

 

FAQ 

What are the consent outcomes? Examples of consent outcomes when a recruiter manually requests consent after a candidate has applied or been manually added. The assumption is that the customer has enabled the following modules: SmartRecruit, SmartCRM and SmartMessage. 

Scenario

Model

Consent status by module

Recruiter action

Possible candidate driven choices

Outcomes in SmartRecruiters

1

Separated

Required for all

Recruiter requests consent

Leave all unchecked

Candidate profile is deleted. Recruiter and candidate receive emails.

Check some

Profile shows a mixed status of acquired and declined with the new consent date. Where declined, profile is removed from that data scope - e.g. if consent was removed for SmartCRM then candidate is removed from all community applications

Check all

All consent statuses shows acquired with the new consent date

2

Separated

Acquired for all

Recruiter requests a new consent

Uncheck all

Candidate profile is deleted. Recruiter and candidate receive emails.

Leave all checked

All consent statuses shows acquired with the new consent date

Uncheck some

Profile shows a mixed status of acquired and declined with the new consent date. Where declined, profile is removed from that data scope - e.g. if consent was removed for SmartRecruit the candidate is removed from all job applications

3

Single

Required

Recruiter requests consent

Accepts consent

Status is shown as acquired with the new consent date

Declines consent

Candidate profile is deleted. Recruiter and candidate receive emails.

4

Single

Acquired

Recruiter requests a new consent

Accepts consent

Status is shown as acquired with the new consent date

Declines consent

Candidate profile is deleted. Recruiter and candidate receive emails.

Does consent related reporting reflect this feature? Not entirely. There will be additional work in Q3 on separated consent.

Does consent work with the Field Recruiting Application? Yes. While on the Field Recruiting App, the candidate needs to consent to the customers’ privacy policy as part of expressing interest. Once that is done, the candidate will receive an automated email with a link to the job ad to complete their application. At this point, the candidate will make consent choices.

What happens if the customer does not set a privacy policy? A message to that effect is displayed along with a checkbox to ensure the candidate understands the situation. The candidates’ consent status will be Required. This is because the candidate has not provided consent as the privacy policy is not visible. Where GDPR = On, the candidates' profile will not be deleted as there is no privacy policy.

Will consent status be updated in the Audit API and the activity stream? Not at this time. We plan future delights to address this.  

Why can’t an administrator change from separated consent back to single consent? Switching from single consent to separated is a 1-way activity. It is not possible to switch back from separated to single. This is because once candidates start choosing separate consents - for instance SmartRecruit-AcquiredSmartCRM-DeclinedSmartMessage-Declined; then the system cannot know how to convert those three values back into a single consent model.  

Can customers choose their own privacy statements? No. Customers will have a choice between “read and understand” and “read and agree” statements. 

Will the new consent feature work for customers who have built custom careers sites and use Candidate APIs? Yes. A customer moving to separated consent will need to update their career site UI to account for the additional checkboxes and privacy statements. It will work as it does today.   

How does SmartRecruiters treat statuses where consent has switched from single to separated? Where candidate consent has been acquired, and the customer has multiple modules enabled (SmartRecruit, SmartCRM) switching to separated consent will be displayed as SmartRecruit-Acquired, SmartCRM-Acquired.

Where candidate consent has been acquired, and the customer has a single module (SmartRecruit) and the customer then adds additional modules before switching to separated consent, then the system will assume consent has been acquired for the additional modules also. If the customer subscribes to a new data scope after switching to separated consent (e.g. by adding SmartMessage), then the consent status for all existing candidates (for that new data scope) will be displayed as Required.

What needs to happen if the customer wants to switch to separated consent, but uses the apply API to integrate with a custom careers site? Whoever is handling the integration between the custom careers site and SmartRecruiters will need to make updates to the application page in order to properly list the consent choices. There is more information HERE. For reference, these are the rules which will are enforced in this scenario:

  • company is on SINGLE and apply api sends SINGLE - SINGLE is saved on in SmartRecruiters. 
  • company is on SINGLE and apply api sends SEPARATED - error is thrown (internally), we cannot transform SEPARATED into SINGLE, nothing is saved in SmartRecruiters. 
  • company is on SEPARATED and apply api sends SINGLE - SINGLE gets transformed into RECRUIT part of SEPARATED and only this consent is saved in SmartRecruiters. 
  • company is on SEPARATED and apply api sends SEPARATED - all SEPARATED parts (validated against company’s subscriptions) are saved.

How can a candidate control consent after granting it? The candidate can reach out to the recruiter and the recruiter can send another consent request so that the candidate can make updates. This approach is a good one as the recruiter can advise on the implications of removing consent if that is what the candidate wants to do.

Where a consent request is manually sent to a candidate, are email reminders sent? Yes. The system reminds the individual twice to provide consent: 7 days prior to the deadline, and 48 hours prior.