On May 25, 2018, a new sweeping data protection law, General Data Protection Regulation (or "GDPR"), was put into effect in the EU. This law places regulation on the collecting and processing of personal data and has a significant impact on companies or offices located in the EU. For a detailed explanation of GDPR, click here.
Luckily, Greenhouse Recruiting comes ready-built with features and tools to help manage candidate data in compliance with GDPR.
Go to the Privacy & Compliance page. (Configure icon > Privacy & Compliance)
Edit your GDPR settings
The GDPR page includes several editable sections.
Data Protection Officer (DPO)
An organization that is a data controller or a data processor may be required to appoint a Data Protection Officer (DPO) as a point of contact for their organization.
If your organization is not required to appoint a DPO, you can list the person at your company who is responsible for data privacy.
For information on how to add a DPO, click here.
GDPR requires any organization that stores/uses personal data to confirm they have a valid legal basis to do so.
For information on how to edit legal basis, click here.
Data retention rules
Under GDPR, individuals have a "right to be forgotten," which means an organization must be able to delete their information at their request. Additionally, companies must also delete data when they no longer have a legal basis to keep it.
In Greenhouse Recruiting, you can define a "retention time" for your system's data. Then, you can notify people in your organization when a candidate has been rejected from all job applications and the retention time has passed.
Because GDPR may not affect all parts of the organization, you can also use data retention rules to include or exclude certain offices from utilizing GDPR features.
For information on how to create a data retention rule, click here.
Data collection email rules
GDPR requires that you notify candidates, prospects and referrals of your GDPR policy. When someone applies through a job post, they are usually notified of your GDPR policy on the job application itself.
If you choose to disclose GDPR information on job posts, applicants will be notified of your GDPR policy when applying to a job.
However, candidates, prospects and referrals who are entered into Greenhouse Recruiting outside of a job post (For example, as a referral, a manual addition, or an agency submission) should be sent your GDPR policy separately using data collection email rules.
For information on how to send your GDPR policy to candidates, click here.
Consent extension email
If your organization would like to extend the length of time it retains a candidate's and/or prospect's data, you will need to explicitly request this extension.
The consent extension email allows your organization to configure an email that is automatically sent to candidates and/or prospects before their data retention period expires to ask for consent.
For more information on how to create a consent extension email, click here.
If you've already sent a GPR consent request to a candidate, and the timer for the request hasn't expired, you can resend the email to the candidate to remind them to consent or decline.
To resend a consent email, go to the candidate's profile and click Resend consent email at the top.
Disclose GDPR information on job posts
You can place a GDPR notification on all job posts by adding a custom question. To add the custom question to all jobs, it is easiest to first add the question to a single job, and make it available on all jobs through a bulk action.
For more information on how to add GDPR information to job posts, click here.
GDPR expands the rights of candidates to access their own data. Using Greenhouse Recruiting, you can quickly and efficiently report on collected candidate information using candidate packets.
For more information on creating a candidate packet, click here.
Once a packet has been set up, you can download the information for a specific candidate on their candidate profile. For more information on downloading a candidate packet, click here.
Mark a candidate as Do Not Email
Under GDPR, individuals can request that their email not be used for direct marketing purposes. To ensure that no marketing emails are sent from Greenhouse Recruiting, you can mark the candidate as Do Not Email.
Go to the candidate's profile, then find the Tools section on the right side of the page. Click the checkbox next to Do Not Email.
Delete a candidate's data
After you receive a notification that a candidate's data retention period has expired, you can delete the candidate's data in Greenhouse Recruiting. When a candidate's data has been deleted, an entry will be added to their Activity Log.