In the UK and across Europe there are some upcoming changes to the data protection and privacy laws, encompassed under the heading GDPR (General Data Protection Regulations). these changes will have an impact upon any business holding or using data stored in a database.
This article is designed to help you implement your policy and processes regarding GDPR within the Influence database. Whilst it is up to you as a business to decide how you wish to deal with GDPR, the guidance here gives some indication as to how you may want to implement some of your choices within your Influence database.
|If you are unsure about GDPR, how it affects your business or any implications, then you should seek professional advice.
There are a couple of stages that should be considered with regard to GDPR
1) How do you deal with all the existing data and get to a stage where you become compliant?
You will probably want to go through the following stages.
Review Existing Data to decide which data you would like to keep.
Delete any old or unwanted data following review.
Create and publish your polices relating to Data and Privacy.
Email the remaining people to obtain consent and "Opt-in" to your policies.
Use the responses to update their records to indicate their consent (or not).
2) How do you remain compliant going forwards?
You will probably wish to consider some of the following.
How will you record consent for individuals going forwards, including recording data receipt?
How will you manage the review period to determine if it is still applicable to keep and use this data in future?
1. Review Existing Data
The purpose of this is to determine what data you have, the value of the data and to help decide upon a strategy for deletion.
- How was the candidate data obtained?, e.g. Downloaded from Jobsite(s), Imported from Broadbean, Emailed in / Advert Response, Manually entered, Imported from other sources (e.g. spreadsheet), Converted Data (from previous database).
- From which sources was the data obtained? (particular Job boards, etc.)
- When was data last used?
- When was the candidate last Matched?
- When was the candidate CV last updated ?
- What was the date of Last Journal/communication?
- When was the 'Last modified' date of record?
- How old is the data? (i.e. When was it created/stored? What is the Registration Date)
- Has the candidate been placed into a Contract position?
- Has the person every been placed into a temporary assignment?
(i.e. Booked as a Temp Worker)
- If the candidate has been placed into a PERM position, when was this.
- You may need to keep this for a period for legal reasons.
- Are there specific documents you have historically used or created on the DOCS page to indicate that the candidate has given consent or should be kept?
- Which STATUSES do you currently use?
- Are any statuses set as Synonymous? e.g. LIVE <=> MPC
- Do you want some new statuses to indicate who has/hasn’t given consent or needs review?
Having considered some or all of the above, you will wish to identify your data using searches. You may then may wish to create GROUPS containing data you wand to delete. Some examples of useful searches can be seen HERE.
2. Purge Data
Having decided which data you wish to remove, you will need to implement that removal using the tools within the database.
- Backup. If you host your own database server, then ensure you have a suitable system backup strategy before commencing any mass purge of data to ensure you can roll-back if necessary. You may wish to liaise with your IT provider on this.
- Mark Records for Deletion
- Mass Delete Records by Status
- Mass Delete record by Owner
- On-Disc deletion of documents
- Removal of other personal data (not within database)
- Manual review and delete process.
- Run the Candidate Duplication List report to find/remove database records.
For more information about deleting records from the database, including deleting records by Status or by Owner, click HERE.
For addition information about the Candidate Duplication list, click HERE.
3. Partition Remaining Data using Status
Once you have purged your data, you will now need to decide how to manage the remaining data and indicate which candidate have given consent/permission and which still need to be contacted.
Having cleaned up your database and removed old or unwanted records you will have a smaller database of 'useful' data left. You may now want to separate that to indicate (easily) those who have been contacted and explicitly given consent, and those who have not. The ideal way to do this is with Status.
1) Decide upon some Statuses you wish to use.
e.g. You might decide to use a status "UNCN" (Un-consented) to indicate all candidate for whom you have not yet received consent.
2) You may then wish to build a GROUP of existing candidates.
3) From the Group of all existing candidates you could remove any PLACED candidates or any candidates who had been booked as a TEMP or as a contractor.
4) This would leave you with a group of candidates for whom you may wish to set the Status.
5) Finally you may wish to change the default settings in your system so that in future, all new candidates get added at the status of UNC (un-consented) when first added to the system.
For details about how to add new Candidate Status codes, see HERE.
For information about changing the 'default' Status for new candidates, see HERE.
For information about setting the Status for a Group of candidates, see HERE.
4. Create Policies
You can use the Policy Manager to create details of policies which you have. Policies can be simple documents or links which you may wish to send or can be items for which you need to obtain consent and record whether someone has opted IN or OUT.
Decide upon the policies you wish to have. (You may wish to seek professional advice on this with regard to what you need for GDPR)
Add these policies to the system using the Policy Manager, and indicate which of these require consent (Opt IN/OUT)
Some policies may be used to trigger a status change upon opting IN/OUT.
For more information about creating Policies and how to use the Policy Manger, see HERE.
For information on using a Policy to amend the Status of a candidate, see HERE.
5. Emailing and Obtaining Consent
At this stage you may wish to communicate with the remaining candidates on the database to inform them about your new policies, and to obtain their consent (Opt IN/OUT) to use and store their data.
Thing you may wish to think about or consider are:-
- Creating email Templates, including details of existing policies.
Templates can contain details of Policies and/or links to web sites.
-Using Groups to manage batches of candidates you wish to communicate with.
- Using the Macro manager to send batches of emails.
- Adding candidate to a 'Policy Group' to easily see who has been asked.
For an overview of the above process, click HERE.
For more information about templates and emails, click HERE, and for a specific example of a GDPR opt-in template showing merge fields, see HERE.
For more information about Groups (generally) click HERE.
6. Managing Responses
Having contacted your remaining candidates, you will (hopefully) receive responses indicating whether or not they wish to remain on your database and grant you permission to hold and use their data. You will need to decide how to handle those responses and record them in the database.
Some points you may wish to consider are:-
- Do you wish to handle responses Individually (Drag/drop email into system onto Data Protection Manager (Padlock)).
- Are you going to mass import or drag/drop batches of emails into the system to store, them? If so you may be able to search using the Journals workbench if all the responses have a unique piece of text in the Subject or body of the email.
- If you have already received responses you may be able to search for candidates from the [Candidates] workbench to identify groups of candidates who have (or have not) opted in. If you can identify these people and build a GROUP, then it is possible (on newer systems) to use the Group and set the Status and Opt In/Out for these people.
For a more detailed description of how to handle responses, click HERE.
7. Remaining Compliant (ongoing)
Once you have updated your existing database and recorded, you will want to remain compliant when adding new candidates to the system. It would be beneficial for you to determine a process which your staff should follow whenever they add a new record to ensure that the relevant information regarding GDPR and consent is recorded at the time that they are added to the database. This could involve a combination of using the STATUS as well as recording enquiry sources, and setting review dates for future.
Things you may wish to consider are:
- What status should be assigned to new records when they are FIRST added to the database?
- Setting the system to send a 'Welcome' email to all new candidates added so that they can respond indicating their consent.
- How you are going to record these new consent replies - individually or in batches?
- Using the Consent Centre to record which communication methods should be allowed for this candidate.
- Recording a Review Date - and then using the workbench to search for this.
- Creating GROUPS of people who require review and using the macro manager to contact them.
- You may want to change their status back to some other value “until they have responded”
For more information about remaining compliant, click HERE.
For information about using Groups to set Status or values, click HERE.