GDPR

Introduction

As a recruiter, you benefit from saving information about (potential) candidates. At the same time, you want to handle personal data with care and of course comply with the law. OTYS has developed a automated GDPR functionality to ensure that you have as little to worry about in daily practice as possible. This functionality is available by default in every OTYS GO! environment. Whether you activate this or, for example, already use another method outside OTYS, each client can decide for themselves. If you are going to work with our GDPR functionality, you can make a number of choices to match the operation to your procedures and working method.

General

The concept of the automated GDPR functionality is that every candidate will get a ‘GDPR anonymizing date’, also called ‘due date’. At this date, the candidate will be anonymized; you will no longer see them as a candidate in the database. Their details are deleted; only statistics are kept. This way you will for example still be able to see the number of applicants, even if some of them are anonymized. This date is shown in the GDPR button at the top of the candidate detail. The following rules influence the GDPR due date:

Does the candidate have a status, that excludes the candidate from the GDPR flow?
Yes? A candidate status can have one of two ‘GDPR modes’:
- GDPR mode ‘delete immediately’: the candidate will be deleted the following night. This automation does not take into account any other variables; the candidate will not receive any GDPR mails and will be anonymized.
  Example: a status for candidates that do not match the target group in any way. You don’t want to ask them if they want to stay in your database, because you will never have matching opportunities.
- GDPR mode ‘Keep’: the candidate will not get a due date, will not be anonymized and does not receive GDPR e-mails as long as it has a status with this mode.
  Example: employees; you do not want to periodically ask if you can keep them in your system because you are legally required to do so.
No? The due date will be calculated, depending on active procedures and permission.
Is the candidate currently in an active procedure?
Yes? The due date will not be set; the GDPR flow is put on hold until all procedures for this candidate have reached an end-status (see configuration)
No? The due date will be calculated based on permission
Did the candidate give permission to keep their data for the longer period?
Yes? The due date will be calculated based on the number of months in setting SE2999
No? The due date will be calculated based on the number of days in setting SE2997

Dependencies

Website or ‘hosted page’: A webpage where a candidate can confirm/deny permission is part of the functionality. A common solution is a ‘hosted page’, a basic page connected to the OTYS system with logo and styling that match the Corporate Identity.
E-mail: Automated e-mails are part of the functionality. Your OTYS Go! system needs to be able to send e-mails in your name. This is probably already part of your basic setup.

Checklist: Getting started with GDPR
We advise to work in the following order. Take some time for point 5, checking the current database, when you activate the GDPR functionality for an active database.
Define the periods you want to use
What is the ‘long term’ in months for candidates who give permission?
What is the ‘short term’ in days for candidates who have not yet given permission?
How many days before the due date will you ask for renewal? How many days between reminders?
How many days before the due date will the key-users get a notification?
See Activation for settings.
Which candidates should be excluded from the GDPR flow?
Candidates can be excluded from the automated flow based on Candidate status, see Configuration
What procedure statuses indicate that a procedure has ended?
Candidates with active procedures will not receive automated mails and will not be anonymized, see Configuration
Do you want to finetune the email templates?
See Configuration
Check your current database
Do all candidates have the correct status? See point 2.
Do all procedures have the correct status? See point 3.
Are there candidates without an email address? Candidates without an email address will not receive the automated emails; they will not be able to give permission and therefore be removed.
Do you have candidates that you have not been in contact with for a very long time? Do you want to take any actions before they receive the automated mailings?
Activate the main settings
Everything ready? Now you can activate the main settings: GDPR - Enable for client (SE2995) and GDPR - Enable automated permission emails (SE3005).

Activation

This is an overview of available settings. Some are mandatory for the functionality to work, others are optional. See also ‘Configuration’ for additional setup.

Mandatory settings

GDPR - Enable for client (SE2995)
This is the main ‘switch’ to activate the functionality. We advice to first make your choices for the other settings before activating.
GDPR - Number of days for saving candidate data before approval (SE2997)
This is the number of days a candidate will be kept if they did not (yet) give their approval.
Example: when a candidate is added manually, maybe based on a LinkedIn search, this gives the recruiter time to contact the candidate before automated messages are send or the candidate is deleted.
GDPR - Number of days before sending renewal email (SE2998)
The number of days between the mail that asks for renewal of permission and the calculated due date
GDPR - Number of months for saving candidate data after approval (SE2999)
When a candidate has given permission, the due date will be calculating using the selected number of months
GDPR - Interval in days for sending reminder email (SE3000)
Between the first renewal mail and the due date there will be reminder mails. This is the number of days between those reminder mails.
GDPR - Ask permission question for candidate question sets (SE3004)
This will add the GDPR question to candidate question sets to show it in application forms
GDPR - Enable automated permission emails (SE3005)
This activates the emails. Note: this setting should be used together with ‘GDPR - Enable for client’, it is not made to be used (enabled or disabled) separately.
GDPR - Send Key-user notification email x days before deletion (SE3009)
Key users receive emails with a list of candidates with a due date this number of days from today. The idea is to give the option to manually check if there are any candidates you really don’t want to loose so you can contact them etc.

Optional settings

GDPR - Require confirmation for killer question application forms (SE3010)
Killer questions can be used to automatically reject candidates during application, they will not be saved to the database. If such questions are used, this setting can be activated to notify the applicant.
GDPR - Ask permission question for candidate question sets open entry (SE3348)
By default the GDPR question is not shown in an ‘open entry’ question set; the whole idea of an open application is to be added to the database for possible matches so we assume permission to is given implicitly. Activate this setting to show the question in open entry question sets.
GDPR - Hide 'Send permission email'-button in GDPR modal (SE3351)
Behind the GDPR button in the candidate detail, you find some additional options. This setting is to hide the ‘send permission email’ button, that can be used to manually trigger a GDPR permission email. This is a client/user setting, that makes it possible to set a standard on client level and make exceptions per user.
GDPR - Hide 'Due date'-date select in GDPR modal (SE3352)
Behind the GDPR button in the candidate detail, you find some additional options. This setting is to hide the ‘due date-select’ button, that can be used to manually set a due date for that candidate. This is a client/user setting, that makes it possible to set a standard on client level and make exceptions per user.
GDPR - Hide 'Send candidate data'-button in GDPR modal (SE335)
Behind the GDPR button in the candidate detail, you find some additional options. This setting is to hide the ‘send candidate date’ button, that can be used to send the candidate an email with their personal data if they request this. This is a client/user setting, that makes it possible to set a standard on client level and make exceptions per user.
GDPR - Hide 'Export GDPR activity log'-button in GDPR modal (SE3354)
Behind the GDPR button in the candidate detail, you find some additional options. This setting is to hide the GDPR activity log’ button, that can be used to download a log that shows a.o. when permission was given or when a due date was changed. This is a client/user setting, that makes it possible to set a standard on client level and make exceptions per user.
GDPR - Hide 'Info'-button in GDPR modal (SE3355)
Behind the GDPR button in the candidate detail, you find some additional options. This setting is to hide the ‘info’ button, that can be used to show a summary of the GDPR situation for that candidate, for example if they currently receive GDPR mails. This is a client/user setting, that makes it possible to set a standard on client level and make exceptions per user.
GDPR - Send notification email to user (SE3434)
By default the email notification with candidates that will soon be anonymized, is send to all key users. Use this usersetting to select one or more specific users that should receive this notification instead.

Configuration

Next to the client- and user settings mentioned under Activation you will find some GDPR related configuration options on other locations:

Candidate status

In client setting ‘Candidate status’ (GE72) you can configure the select list for the candidate status. Per status you will find the option ‘GDPR mode’. Use this only to make exceptions; if you do NOT want candidates with a certain status to be included in the automated GDPR flow, you have two options.

GDPR mode ‘delete immediately’: the candidate will be deleted the following night. This automation does not take into account any other variables; the candidate will not receive any GDPR mails and will be anonymized.
Example: a status for candidates that do not match the target group in any way. You don’t want to ask them if they want to stay in your database, because you will never have matching opportunities.
GDPR mode ‘Keep’: the candidate will not get a due date, will not be anonymized and does not receive GDPR e-mails as long as it has a status with this mode.
Example: employees; you do not want to periodically ask if you can keep them in your system because you are legally required to do so.

Procedure status

In client setting ‘Procedures- Procedure status 1 values ’ (GE6) you can configure the select list for the procedure status. For some customers GE7 and GE8 will also be used. Go to this setting to indicate which statuses mean the procedure is ended. Use one of the following options:

Reporting stage: select ‘ Hired- placement’ or ‘Hired - Full time’ for statuses that are used for a positive end to the procedure.
Checkbox ‘Rejected’: activate this checkbox for all statuses that indicate a negative end to the procedure. Also when, strictly speaking, the candidate was not ‘rejected’; for example when a candidate was no longer interested.

This configuration for end-statuses will be used to check if candidates are currently in any active procedures. If so, they will not receive automated permission mails and will not be anonymized.

UTS templates

In the GDPR functionality several templates are used for emails and text on webpages. These are by default available, it is not needed (or possible) to setup new templates for this flow. It is possible to check the default text and make some changes to align them with the tone of voice of your organisation. All GDPR templates are found in the UTS Manager module. An easy way to find them there is to search by keyword ‘gdpr’.

ID	Title	Description
1310	GDPR - Permission to store data during application (V)	This text is shown in the question set
1311	GDPR - Permission to store data during application (H)	This text is shown in the question set
1313	GDPR - Email to candidate first permission request	The first automated permission request
1314	GDPR - Email to candidate first permission request (reminder)	Automated reminder after first permission request
1315	GDPR - Email to candidate repeat permission request	Request for renewal of permission
1316	GDPR - Email to candidate repeat permission request (reminder)	Reminder after request for renewal of permission
1317	GDPR - Permission form	Permission form on webpage
1318	GDPR - Thank you page	Thank you/confirmation on webpage
1319	GDPR - Error	Error on webpage
1320	GDPR - Permission form (fallback if there is no OTYS website)	Alternative for 1317 that is used if no customer specific webpage is connected
1321	GDPR - Thank you page (fallback if there is no OTYS website)	Alternative for 1318 that is used if no customer specific webpage is connected
1322	GDPR - Error (fallback if there is no OTYS website)	Alternative for 1319 that is used if no customer specific webpage is connected
1323	GDPR - Email to Keyuser x days before candidate deletion	Notification mail to key-users
1324	GDPR - Email to candidate after requesting permission manually	Mail that is triggered by button in candidate detail
1325	GDPR - Email to candidate with information of candidate	Mail that is triggered by button in candidate detail
1326	GDPR - Permission to automatically reject (H)	Can be shown in question set if killer questions are used
1327	GDPR - Permission to automatically reject (V)	Can be shown in question set if killer questions are used
1328	GDPR - Permission to store data in interactions form (H)	Similar to 1310 but for Interaction form
1329	GDPR - Permission to store data in interactions form (H)	Similar to 1311 but for Interaction form
1330	GDPR - Email to candidate first permission request (opt-out)	First permission email, used in ‘opt-out’ version of flow
1331	GDPR - Email to candidate repeat permission request (opt-out)	Permission renewal email, used in ‘opt-out’ version of flow
1332	GDPR - Email to candidate after requesting permission manually (opt-out)	Mail that is triggered by button in candidate detail, used in ‘opt-out’ version of flow

Reports

In the Reports module you can configure reports based on data from the GDPR flow. Create a Report group with linked table ‘GDPR’. This linked table has two modules to choose from:

AmountCandidatesDeleted: This will show a report for the number of candidates that has been anonymized by the GDPR flow.
PermissionsMailsReactions: This will show a report fot the number of send GDPR mails and the number of times the permission question was answered. Use the tabs at the top right corner of the page to select if ‘emails’, ‘permissions’ or both should be shown in the same graph.

See helpdesk pages about Reports module for general information about how to configure and use reports.

List view

In the Candidates module you can add a column ‘GDPR status’ to your listview. This will show the same information as the GDPR button in the header of the Candidate detail. This can help to see in an easy way for which candidates permission is known, if they have a due date and if so; the date.

Usage

The GDPR functionality will do it’s work in the background, there is no action needed in daily use. Some options that can be useful:

GDPR button

The GDPR button in the header of the candidate shows the current situation.
First by color:

Blue: permission is unknown
Green: permission question was answered with ‘yes’
Red: permission question was answered with ‘no’

The GDPR button will also show the due date, or a text explaining why no due date is shown:

“In procedure thus not set”: This candidate has one or more active procedures. They will not receive automated GDPR mails and will not be anonymized
“Candidate will be kept”: This candidate has a status that excludes them from the GPDR flow. They will not receive automated GDPR mails and will not be anonymized
“Candidate will be deleted”: This candidate has a status that excludes them from the GPDR flow. They will not receive automated GDPR mails and will be anonymized the following night.
A date: This is the due date for this candidate. They will receive automated mails as configured in the settings. If they do not give or renew their permission, they will be anonymized.

Click the button for additional information and actions:

Due date: use this date field and the button ‘Set due date’ to manually change the due date of this candidate. For example when you received permission via another way then the automated flow.
Send permission email: Trigger a manual mail to ask the candidate for permission.
Send candidate data: Trigger an email with an overview of the data that is saved for this candidate, to send them when they request this.
Export GDPR activity log: Download an overview of GDPR actions that shows a.o. when permission was given or when a due date was changed.
Info: Show a summary of the GDPR situation for that candidate, for example if they currently receive GDPR mails.

Filter

In the right panel, under ‘add criterium’, you find different filter options related to GDPR:

GDPR action main status
Filter for candidates that have a candidate status with GDPR mode ‘Keep’ or ‘Delete’.
GDPR due date
Filter for candidates with a due date in a certain period. This is a ‘flex filter’; you can for example create a filter that will look for ‘next month’ and the filter will move each month.
GDPR Permission granted
Filter for ‘permission accepted’ , ‘permission declined’ and/or ‘permission pending’. Use this for example to check for candidates you are responsible for (owner) that did not answer the permission yet (‘permission pending’).

Troubleshooting

Use the ‘info’ and ‘Export GDPR activity log’ buttons to get a better understanding of the current GDPR status for a specific candidate.

If you are not sure if everything goes as intended, please contact our Support team. Do not wait with this; it is almost impossible to retrieve data that was removed via the GDPR functionality.