On May 25, 2018, a new sweeping data protection law (General Data Protection Regulation, or GDPR) was put into effect in the EU. This law places regulation on the collecting and processing of personal data, and has a significant impact on companies or offices located in the EU. Click here for a more in depth explanation of GDPR.
Luckily, Greenhouse Recruiting comes ready-built with features and tools to help manage candidate data.
GDPR features are available to all Greenhouse Recruiting customers. However, some of the customization must be configured by Site Admins. Most configuration is completed on the Privacy and Compliance section of the Configure page.
Additionally, we recommend seeking legal advice when configuring these settings, as GDPR may affect specific organizations differently.
See the following sections for more information:
For a list of all GDPR topics, click this link.
Configure legal basis for GDPR
Part of your organization setup requires selecting your data retention policy as it relates to candidates and prospects. This setting can be updated under the Privacy and Compliance section of the Configure page.
See this topic for more information.
Appoint a Data Protection Officer (DPO)
An organization who is a data controller or a data processor may be required to appoint a Data Protection Officer (DPO) as a point of contact for their organization.
A DPO can be defined in two different ways:
- Opening the user's account in Account Settings.
- In the Privacy and Compliance section of the Configure page.
If your organization is not required to appoint a DPO, you can list the individual at your company responsible for data privacy.
Click here for a more in depth explanation of the Data Protection Officer.
Choosing a new Data Protection Officer
If a user is marked as the DPO for the organization, their account cannot be deactivated. If you need to deactivate the employee's account, you must appoint a new DPO before their account can be deactivated.
Select GDPR Compliant Offices
Because GDPR may not affect all parts of the organization, you can choose to deactivate the features in certain offices that may be outside the EU.
When an office is not marked as a GDPR office, the features in this article won't be available. However, the do not email and candidate packets features are available in all organizations, regardless of GDPR status.
You can select your GDPR offices under the Configure gear icon, then click Privacy and Compliance on the left. Click Offices that Need to Comply to GDPR.
Configure data retention rules
Under GDPR, individuals have a "right to be forgotten," which means an organization must be able to delete their information at their request. Additionally, companies must also delete data when they no longer have a legal basis to keep it. In this case, a "legal basis" means the data is no longer necessary for the organization's legitimate business interested.
In Greenhouse Recruiting, you can define a "retention time" for your system's data. Then, you can have members of your organization be notified when a candidate has been rejected from all job applications and notified when a candidate has been rejected from all job applications and the retention time has passed.
Choose the data to be deleted
You can choose the parts of the candidate's profile and define the retention time under the Configure menu. (Configure > Privacy and Compliance > Delete Candidates' Personal Data.)
When you toggle this setting on, select the checkboxes to choose which data to flag.
Click here for more information on setting up your data retention rules.
Receive data retention notifications
When a candidate has been rejected from all jobs in Greenhouse Recruiting and the data retention period has passed, the selected users will be notified that a candidate's personal data can be deleted. This deletion does not occur automatically, and must be completed by a user.
A candidate's data retention period will be reset if they are converted to a prospect.
Delete a candidate's data
After you receive a notification, you can delete the data under the Notifications menu. When a candidate's data has been deleted, an entry will be added to their Activity Log.
Configure GDPR Notifications on job posts
You can place a GDPR notification on all job posts by adding a custom question. To add the custom question to all jobs, it is easiest to first add the question to a single job, and make it available on all jobs through a bulk action.
Click here for more information on configuring these questions.
Configure GDPR email notifications for non-job board candidates
If a candidate, prospect, or referrals were entered into Greenhouse Recruiting outside of a job post (such as a referral process, a manual addition, or an agency submission), they will not have the opportunity to review the GDPR notification in the job post. The Email GDPR Information feature allows you to email notification to individuals added to your account outside of a job post.
You can configure this email template on the the Privacy and Compliance section of the Configure page. Click here for more information.
Configure and download Candidate Packets
GDPR increases the rights of candidates to have access to their own data. Using Greenhouse Recruiting, you can quickly and efficiently product candidate information using candidate packets.
Candidate packets can be initially configured on the Configure page. See this topic for more information on configuring these packets.
Once a packet has been setup, you can download the information for a specific candidate on their candidate profile. Click here for more information on downloading candidate packets.
Resend consent email
For organizations using the Explicit Consent legal basis, it's possible to resend a GDPR consent request email to a candidate. Resending GDPR consent request emails can serve to remind candidates to review your organization's GDPR policy and to consent or decline an active consent request.
Provided the following is true, you can resend a consent email to a candidate:
- The organization's GDPR is set to Explicit Consent legal basis.
- The candidate has an active GDPR consent request, meaning a request has been sent and the timer for that request has not yet expired.
- The candidate has a valid email address.
To resend a consent email, navigate to the candidate profile and click Resend consent email at the top.
Mark a candidate as Do Not Email
Under GDPR, individuals can request that their email not be used for direct marketing purposes. To ensure that no marketing emails are sent from Greenhouse Recruiting, you can mark the candidate as Do Not Email on their candidate profile.