GPDR: What it Means For Your Candidate Data & Processes

As you may be aware, data protection has now changed.  As the Employer (Data Controller) you probably have questions surrounding how Flat Fee Recruiter (Data Processor) is going to process your candidate data under your instructions and in line with the new regulations. Flat Fee Recruiter has always focused on candidate data being safeguarded and compliant to all UK and European laws and in light of GDPR, Flat Fee Recruiter will ensure that all the candidate’s data (Data Subject) will be treated according to the new law. Whilst Flat Fee Recruiter will ensure to process the candidate data in line with GDPR, as the employer, your responsibilities of controlling the candidate data through your own recruitment processes will probably require additional statements and policies, especially if you take data out of the FFATS environment.  Other key triggers to prompt internal review could be if your company collects any additional information i.e. reference details, background checks or data that is particularly sensitive, conducts DBS / credit checks, transfers data, keeps data for longer than 3 months or shares data with a third party (departments or companies). The changes outlined below only refers to candidate data obtained after this date.  All historic candidate data will be deleted by the 31st December 2018. There will be a few minor changes to the way that we do things to ensure Flat Fee Recruiter complies and protect the candidate's data. To ensure that you understand what these changes will mean to the candidates we attract and process for you, we have put together the following information.  It may seem a bit complicated, but please be rest assured that we have balanced the process to ensure that you (Client) remains in control, within the law and still retain the volume and quality of applicants you expect. If you have any further questions, then please get in touch. Contents: 1. What Personal Data Are We Collecting 2. How We Process the Candidate Applications 2.1 Legal Basis:  Legitimate Interest (Email Application) 2.2 Legal Basis:  Consent Only (Direct Apply) 2.3 Where Flat Fee Recruiter Does Not Process the Data (External URL) 3. How GDPR Affects Branded Advertising Solutions 4. How GDPR Affects Companies Who Have a FFATS Licence 5. Rights of Access, Rectification, Erasure and Restriction: 6. Automated Decision-making 7. Location of Data 8.  Notification of Personal Data Breaches 9. Security Measures: 10. Summary of Key Changes to FFATS 11. Recommendations for You 12. Our Rights

What You Need to Know:

1. What Personal Data Are We Collecting? Personal data is information that can identify a data subject (the candidate).  Flat Fee Recruiter collects data from candidates to include (but not exhaustive); name, address, phone, email address, work history, education & qualifications.  We collect this data in the form of CV’s and fields completed by candidates throughout completing their application.  We do not request or collect special category data. The Recruitment site will also collect anonymous technical data from candidates based on cookies. 2. How We Process the Candidate Applications: There are 3 ways we can receive applications from candidates.  However, there is only one way to receive applications per vacancy.  At the time of placing your advert, your account manager will discuss and recommend the most appropriate method and legal basis for receiving applications to your vacancy.  We have outlined these three methods so that you can also control those decisions. 2.1 Legal Basis:  Legitimate Interest (Email Application) When we receive CV’s into the FFATS system for each vacancy advertised, you can process the application on a legitimate interest legal basis.  These candidates will be identified on your dashboard. All applications received under this legal basis will be automatically deleted after 3 months of the vacancy closing. To ensure that the candidate knows who the third-party is that will be reviewing their CV’s (our clients), the automatic email that the candidate receives will clearly state your company name and the job that they have applied for.  The email will also highlight how we are processing and storing their data and how they can log into the system to remove their consent and their application (please request if you want a copy of this email). When the candidate logs in to their account we will share your identity again. Please see the Flat Fee Recruiter Candidate Privacy Statement and where your company name would be inserted. If the applicant gives explicit consent by choosing "yes" they will move to the new “GDPR Compliant Stage” on your dashboard.  If the applicant doesn’t give explicit consent to processing their application by choosing "no", their details will be automatically deleted immediately. 2.2 Legal Basis:  Consent Only (Direct Apply) This is where the candidate is sent directly to the FFATS system as they apply for a vacancy from a job board or other internet source. This legal basis means that you and Flat Fee Recruiter must have explicit consent from the candidate before you can process their application.  There is no record of that candidate in the FFATS system without explicit consent. Your company name as a third party will be inserted into the Flat Fee Recruiter Candidate Privacy Statement. 2.3 Flat Fee Recruiter Does Not Process The Data (External URL) Some of you will already get applications direct to your own recruitment systems, there is no change to how Flat Fee Recruiter services this.  It will be down to your own company policies and procedures to make sure that your data is being managed and controlled in line with GDPR. When the candidate clicks apply from an advert on a job board site, no candidate data is transferred to Flat Fee Recruiter. We would recommend that if you are using online application forms or storing candidate data locally, that you make enquiries as to how secure these processes are to ensure you are not at risk of a data breach. 3. How GDPR Affects Branded Advertising Solutions All data obtained from candidates with our standard non-branded solutions is processed as above in point 2.  There are slight variations with our branded solutions as it gives you a bit more flexibility on how long you can store their data and whether you can use this data across other parts of your business. In addition to the standard advertising option of consent to “process their application for the vacancy they have applied for” the FFR branded products offer candidates further options that the candidate can consent to: 1. Whether you (the employer) can consider them for any other roles in your business 2. The right to keep their data for up to 2 years 4. How GDPR Affects Companies Who Have a FFATS Licence All our standard and branded advertising solutions come with the free FFATS system.  All the information in this document is related to this level of service. If you subscribe to FFATS you will be paying a monthly subscription and we will already be in consultation with you about integrating GDPR into your recruitment processes.  This means that some of the information in this document may be slightly different as it will be tailored to your company. If you have any questions about your FFATS licence or what this means to your day to day operations, then please get in touch with Flat Fee Recruiter. If you don’t have a FFATS licence but would like a demo or further information about how this would work for your company, please get in touch. 5. Rights of Access, Rectification, Erasure and Restriction: Under the new regulations, candidates have the right to obtain confirmation from their employer as to whether the employer is processing personal data relating to them.  If the employer does process the individual’s personal data, it must provide them access to the data, including a copy of the personal information. All candidates that are in the FFATS system receive an email with log in details so that they can access their account.  Once they are logged in, they can see what data Flat Fee Recruiter and the named third party (Client) is processing and how they can remove their data. The email they receive from the system and the Privacy Statement also cover: • The reason why we are processing their data • The category of data we collect • Details of who will be able to access the data • How long we will keep the data • How they can request rectification, erasure or restriction of the processing • How to object to the processing and the right to lodge a complaint with the ICO [Information Commissioner’s Office] 6. Automated Decision-making Under the GDPR, individuals have a right not to be subject to decisions based solely on automated data processing if the decisions produce legal effects on the individual or significantly affect them (article 22(1) and Recital 71). An example of this is where an online recruitment system automatically rejects candidates based on their response. Flat Fee Recruiter has the option to include “Killer Questions” as the candidate completes their application which you may have used.  The option to include questions will still be available, as the FFATS system is not automatically rejecting candidates based on these answers. The candidates are still there for you to review and the question is intended to help you filter the response rather than automatically disqualify candidates. 7. Location of Data: We take security very seriously at Flat Fee Recruiter and already have third-party secure data systems in place.  These secure data facilities are fully compliant with GDPR, they are based in London (off-site) and are manned 24/7.  Please ask if you would like more details. 8.  Notification of Personal Data Breaches In the event of a data breach.  Flat Fee Recruiter will inform you without undue delay.  In any event, from when we become aware of this breach, it will be no more than seventy-two hours.  We will also communicate sufficient information to you so that you can make your obligations to ICO in line with GDPR. 9. Security Measures: • All passwords are encrypted and the FFATS system will automatically lock out after 15 minutes idle.  The system also locks out after 3 false attempts of entering. • The data centre has a very high level of security and can detect any unusual activity or threats.  It will take appropriate measures to protect the data. • Flat Fee Recruiter imposes strict access control rights to this data and only you and the appropriate staff members of Flat Fee Recruiter can access candidate data that has been obtained by your online recruitment advertisement, in line with our terms of business. • Furthermore, Flat Fee Recruiter employees cannot download CV’s or store any personal data locally on their computers or take information off-site, or transfer data outside of the European Economic Area unless prior written consent of the client has been obtained. • All staff at Flat Fee Recruiter are fully trained on GDPR and aware of the implications and how it affects your service.  All training records on GDPR and the procedure for data breaches are recorded and maintained. 10. Summary of Key Changes to FFATS • One of the biggest changes to FFATS will be in disabling the “download a CV” function.  We have a legal obligation to ensure that all data processing complies with the GDPR guidelines and we must ensure the safeguarding of this data. • Candidates will be given the option to consent to a GDPR Privacy Statement at the point of application or when they log in to complete their application.  This information will be available to them from the FFATS system and your company name as the third party will be visible at this point. • You will be able to identify whether you have gained consent for the right to process their application from candidates on the updated FFATS dashboard. • Candidates will be automatically deleted according to the type of advertising or GDPR statements they have consented to - you don't have to do anything. • Before we post a vacancy, we will do all that we can to discuss your options (Email Application or Direct Apply).  If we do not have the opportunity to do this, we will default to the Email Application method. 11. Recommendations for You • If you or your hiring managers are downloading, storing or collating CV’s from other sources, we encourage you to review your policies and procedures considering the new legislation, to ensure that you are not at risk of a data breach and that all candidate data that you store is GDPR compliant. • You can access our webinar recording here to get more info on GDPR and recruitment • We will be running FFATS training sessions in June 2018 to help you and your hiring managers get the most from the platform. In the meantime, if you need help then please just get in touch and we are more than happy to help. • A branded careers page or FFATS licence can enable you to; advertise all your jobs on your website and other free sources (regardless if you want them on the job boards), set up unlimited hiring managers, store data for longer and re-use candidate data across other jobs or departments in your business, and give you full control over ALL your recruitment and candidate data.  Please speak to the team if you would like a demo of what this would look like. 12. Our Rights Although every attempt, relevant assessments and legal advice has been obtained to ensure that the way we intend to operate after 25th May 2018 is correct.  As with everything associated with GDPR there are various interpretations of the law and case law will proceed.  To ensure that our clients and Flat Fee Recruiter are operating within the law, these processes will be reviewed and changed when necessary. As a Data Controller of the recruitment data, we strongly advise that you and your company are up to date on how these changes will affect your policies, statements and processes.  The ICO website and helpline is a great resource to keep up to date:  https://ico.org.uk/for-organisations We will be updating this web page with any changes when they happen and whilst we will do our best to inform you of these changes by email and via the FFATS system, we recommend that you bookmark or make a note of this webpage to ensure you remain up to date with any developments and how they affect you and your recruitment processes with Flat Fee Recruiter. If you want further information about how Flat Fee Recruiter will be working with our clients to ensure that the processing of the Protected Data is in accordance with the Data Protection Law, please get in touch. You may also like:

• GDPR & Recruitment - Do you need to change?
• Keep Calm and Get Ready For GDPR in Recruitment
• How Will The GDPR Affect Employers Who Are Recruiting
• Candidate Privacy Statement