This article will guide you through enabling the compliance available for your account. Workable makes it easy to allow candidates to exercise their right to be deleted at any stage of your hiring process and to be notified for your privacy policy upon being sourced or while applying for a job. Also, you will find advanced options on how to automate data retention.
Candidates’ right to erasure
The first step towards GDPR compliance is to include an option for candidates to withdraw from the application process and delete their data automatically.
To begin, click on your user icon in the upper right of Workable, click on Settings and navigate to Compliance. Locate the GDPR section. The first option you’ll see will vary based on the Workable plan you subscribe to;
- For monthly and Core plans: Right to erasure
- For Growth and Premier plans: GDPR compliance
In any case, flip this switch to ON and it will enable candidates’ right to erasure.
With this option enabled, the application confirmation email that a candidate receives automatically after applying will include an option for them to withdraw from the application process and delete their data.
This is what the candidates receive:
Furthermore, activating the 'right to erasure’ means that the candidates and account members can permanently delete their data from an individual job or your full Workable account (all active and archived jobs, and the Talent Pool). Also, Workable account members can permanently delete a candidate’s data from Workable if they are requested to do so.
Privacy Notice overview
A link to your Privacy Notice should be shared with every candidate in your Workable account.You’ll need to create and host your own Privacy Notice and ideally, it will be related to recruitment only, instead of a more general company privacy policy. This will further increase transparency, enabling the candidate to quickly see relevant information which could be missed in a longer, more general policy.
In any case, the Privacy Notice should include details of:
- How long your organization intends to store the candidate data; if it’s not possible to provide an exact length of time, then explain the criteria used to determine that period
- How candidates can withdraw their consent to the processing of their personal data
- How candidates can request corrections or access to their data, or ask for it to be deleted from your system
- Who candidates should contact should they want to lodge a complaint regarding the processing of their personal data Share your Privacy Notice with the candidates via email.
In any case, as part of your process, we recommend to use Workable to create an email template that can be used to contact sourced or passive candidates with a consistent approach.
Standard Privacy Notice setup
If you are using a monthly plan, you can rely on emails to notify your candidates about your Privacy Policy. You can create an email template as suggested above to notify your candidates about your company’s Privacy Policy and also include a link to your Privacy Policy in your job’s description.
Another alternative is to use a link for your company’s Privacy Policy to your email signature.
Advanced Privacy Notice setup
Setting up a Privacy Notice template
With a Growth or Premier plan, you can create a Privacy Notice from our legally approved template or use a link to your own, pre-written notice. The first time you email a sourced candidate or invite them to an event, a footer will be automatically added to the email including a link to your Privacy Notice and an option for the candidate to delete their own data and withdraw from your process. The details in the footer can be edited if needed.
These details ensure that you won’t forget to notify the candidate when you first contact them. You can also set up an automation to delete sourced candidates who have not been sent a link to the disclaimer within 30 days.
Click your user icon in the upper right of Workable, click on Settings, select Compliance and enable the GDPR features switch to set up the Privacy Notice.
Fill in the template with your organization’s information. We’ll use it to generate a pre-written Privacy Notice. You can preview this notice to ensure it meets the standards of your own organization. The pre-written details in the Privacy Notice have been vetted by legal professionals for GDPR compliance.
Your company's logo will appear at the top of the notice:
The sample data we’ve included in this example is not comprehensive and may not be in line with the guidelines your organization chooses to set. When completing the template you may want to speak with your executive or legal team to ensure that you have addressed everything that candidates should be informed of and that your data retention timeframe makes sense for your organization.
Using a custom Privacy Notice link
If you prefer to use your own fully custom Privacy Notice, click the link to the upper right of the form, "I want to use our existing Privacy Notice".
Simply include a link to your own Privacy Notice in the form that appears. Click Save Changes and the bottom of the section once you’ve set up the Privacy Notice.
A link to the Privacy Notice will appear in application confirmation emails automatically. It can also appear on application forms and in emails to sourced candidates.
Updating your Privacy Notice
You can update the details of your Privacy Notice template or change the custom link at a future date if necessary. When a change is made to the template it will be reflected for all candidates who access your Privacy Notice. Candidates who initially received an older version of the template will be directed to your updated version.
Applicant consent option
You can add a checkbox item to application forms that will appear automatically for any job located in the EU, Norway, and Iceland, where residents are protected under the laws of the General Data Protection Regulation (GDPR), as well as to jobs based in Switzerland and Liechtenstein. Candidates must check the box to apply and will be shown a link to your Privacy Notice.
To enable this option click your user icon in the upper right of Workable, click on Settings and navigate to Compliance. Flip the Applicant consent switch to ON.
Enabling this switch is not a requirement. As a recruiter, you have a legitimate interest in collecting data from candidates who want to work at your company. Candidates choose the information they submit and should understand that their data will be used for hiring purposes.
Additionally, candidates will automatically receive a link to your Privacy Notice on the application confirmation page that appears after they apply. They will also receive an application confirmation email that contains a link to your Privacy Notice.
Automated data retention management
Save time and ensure GDPR compliance by automating the deletion of candidate data. Click your user icon in the upper right of Workable, click on Settings and select Compliance. In the GDPR section locate the Data retention menu. Flip the switch to ON to get started.
First, you’ll be able to set the length of time your organization would like to store candidate profiles. The clock for this starts ticking the day the candidate profile was created in Workable. If you set your timeframe for 24 months, for example, then candidate profiles in active jobs, archived jobs and the Talent Pool will be automatically deleted 24 months after they were created in Workable.
Next, you’ll be able to exclude active profiles from automatic deletion. This means that candidates in active jobs and your Talent Pool will not be deleted automatically if there has been any recent activity—like comments, emails or evaluations. You can set the period of time for exclusion. For example, changing the setting to 6 months means that if there has been any activity on a candidate profile in the last 6 months, it will not be deleted. Candidates in archived jobs will be deleted based on their creation date, even if they have been updated recently.
Snoozed candidates will not be deleted automatically, no matter how long they’ve been in your account. When a snoozed candidate wakes up, this automatically counts as an update to their profile. In this example, a candidate who is unsnoozed would then only be deleted after 6 months if there are no other updates to their profile.
You can also choose to have candidates automatically deleted after 30 days if they have not received a link to your Privacy Notice or been contacted in any way.
If you’ve uploaded (sourced) a candidate and have not contacted them, they will be deleted after 30 days. If you do contact them, you should inform them of your Privacy Notice and their right to erasure. After contacting a sourced candidate, the automation filters for the first switch will apply to that candidate.
When you first enable a data retention option, candidates may be deleted from your account right away (in the example above candidates who are older than 24 months would be deleted). This will only occur when you click Save changes at the bottom of the GDPR section. An alert will let you know how many archived and active candidates are about to be deleted. Click Save changes to confirm the details and initiate the automation.
When a candidate meets the qualification for deletion they will be deleted from your Workable account. Their candidate profile, as well as their Timeline, will be removed and will not be recoverable. You will not be notified when this occurs.
Updating remaining candidates
Enabling the switch for automated data retention management will provide an option to email any remaining candidates with your Privacy Notice and a link that would enable them to delete their own data.
We recommend that you choose this option, and email the remaining candidates. This will ensure that the candidates, who applied before your GDPR Privacy Policy was set up in Workable, receive a link to view it. You’ll have a clean slate and will not need any further planning or communication around notifying your existing candidates about GDPR.
If you choose to ignore the candidates you should follow up at a later date with more details.
Sourced candidates who have been in your account for more than 30 days can be emailed before deletion. If you choose this option they will all be classified as ‘contacted’ and thus will not be deleted as ‘non-contacted sourced candidates’ after 30 days.
Non-contacted Sourced candidates who are less than 30 days old will not be contacted at this time. When you first reach out to them an email footer will be included that contains a link to your Privacy Notice.
If there are candidates in your account without email addresses it will not be possible to share the Privacy Notice with them. These candidates will be treated as non-contacted Sourced candidates and will be deleted after 30 days.