Setting up GDPR automation features

This article will guide you through enabling GDPR features. Check below to learn more about Workable's approach to GDPR. The GDPR settings apply to jobs in the EU, UK, Norway, Iceland, Switzerland & Liechtenstein.

GDPR features include:

Right to erasure
Privacy notice setup
Application consent to your Privacy Notice
Data retention automation

Manage these options from your Compliance settings page.

Candidates’ right to erasure

By default, once you enable the GDPR features, the system will provide candidates with a way to withdraw from the application process and delete their data automatically.

The application confirmation email that a candidate receives automatically after applying will include an option for them to withdraw from the application process and delete their data.

This is what the candidates receive:

Furthermore, this feature means that the candidates and account members can permanently delete their data from an individual job or your full Workable account (all active and archived jobs, and the Talent Pool). Also, Workable account members can permanently delete a candidate’s data from Workable if they are requested to do so. Once they do that the profile will be hard-deleted so there is no need for any further actions.

Privacy Notice setup

You can create a Privacy Notice from our legally approved template or use a link to your own, pre-written notice. The first time you email a sourced candidate or invite them to an event, a footer will be automatically added to the email including a link to your Privacy Notice and an option for the candidate to delete their own data and withdraw from your process. The details in the footer can be edited if needed.

These details ensure that you won’t forget to notify the candidate when you first contact them. You can also set up an automation to delete sourced candidates who have not been sent a link to the disclaimer within 30 days.

Note: If a candidate is added by an external recruiter then the email footer will not appear automatically. External recruiters should notify the candidate of their staffing agency’s data policies prior to adding the candidate to Workable.

Fill in the template with your organization’s information. We’ll use it to generate a pre-written Privacy Notice. You can preview this notice to ensure it meets the standards of your own organization. The pre-written details in the Privacy Notice have been vetted by legal professionals for GDPR compliance.

Your company's logo will appear at the top of the notice:

The sample data we’ve included in this example is not comprehensive and may not be in line with the guidelines your organization chooses to set. When completing the template you may want to speak with your executive or legal team to ensure that you have addressed everything that candidates should be informed of and that your data retention timeframe makes sense for your organization.

Using a custom Privacy Notice link

If you prefer to use your own fully custom Privacy Notice, click the link to the upper right of the form, "I want to use our existing Privacy Notice".

Simply include a link to your own Privacy Notice in the form that appears. Click Save Changes and the bottom of the section once you’ve set up the Privacy Notice.

Note: The custom Privacy Notice should specifically address the way you will use candidate data. Simply linking to a generic or overall Privacy Notice or Policy that your company has may not be sufficient. Consult with your legal or executive team before implementing this option. We recommend using the template option due to the ease of setup.

A link to the Privacy Notice will appear in application confirmation emails automatically. It can also appear on application forms and in emails to sourced candidates.

Updating your Privacy Notice

You can update the details of your Privacy Notice template or change the custom link at a future date if necessary. When a change is made to the template it will be reflected for all candidates who access your Privacy Notice. Candidates who initially received an older version of the template will be directed to your updated version.

Note: If you opt to use a custom Privacy Notice and the link to find this online changes at any time, remember to revisit this section in Workable and update the link. It is important that applicants have access to a working link to your Privacy Notice to remain compliant, but keep in mind that candidates who received your original custom link will not receive the new link automatically.

Applicant consent option

You can add a checkbox item to application forms that will appear automatically for any job located in the EU, UK, Norway, Iceland, Switzerland & Liechtenstein, where residents are protected under the laws of the General Data Protection Regulation (GDPR), as well as to jobs based in Switzerland and Liechtenstein. Candidates must check the box to apply and will be shown a link to your Privacy Notice.

To enable this option click your user icon in the upper right of Workable, click on Settings, and navigate to Compliance. Flip the Applicant consent switch to ON.

Enabling this switch is not a requirement. As a recruiter, you have a legitimate interest in collecting data from candidates who want to work at your company. Candidates choose the information they submit and should understand that their data will be used for hiring purposes.

Additionally, candidates will automatically receive a link to your Privacy Notice on the application confirmation page that appears after they apply. They will also receive an application confirmation email that contains a link to your Privacy Notice.

Automated data retention management

Save time and ensure GDPR compliance by automating the deletion of candidate data. Click your user icon in the upper right of Workable, click on Settings and select Compliance. In the GDPR section locate the Data retention menu. Flip the switch to ON to get started.

First, you’ll be able to set the length of time your organization would like to store candidate profiles. The clock for this starts ticking the day the candidate profile was created in Workable. If you set your timeframe for 24 months, for example, candidate profiles in active jobs, archived jobs, and the Talent Pool will be automatically deleted 24 months after they were created in Workable.

Next, you’ll be able to exclude active profiles from automatic deletion. This means that candidates in active jobs and your Talent Pool will not be deleted automatically if there has been any recent activity—like comments, emails, or evaluations. You can set the period of time for exclusion. For example, changing the setting to 6 months means that if there has been any activity on a candidate profile in the last 6 months, it will not be deleted. Candidates in archived jobs will be deleted based on their creation date, even if they have been updated recently.

Snoozed candidates will not be deleted automatically, no matter how long they’ve been in your account. When a snoozed candidate wakes up, this automatically counts as an update to their profile. In this example, a candidate who is unsnoozed would then only be deleted after 6 months if there are no other updates to their profile.

You can also choose to have sourced candidates automatically deleted after 30 days if they have not received a link to your Privacy Notice or been contacted in any way.

If you’ve uploaded (sourced) a candidate and have not contacted them, they will be deleted after 30 days. If you do contact them, you should inform them of your Privacy Notice and their right to erasure. Check here for more details on how to notify sourced candidates about your Privacy Notice. After contacting a sourced candidate, the automation filters for the first switch will apply to that candidate.

When you first enable a data retention option, candidates may be deleted from your account right away (in the example above candidates who are older than 24 months would be deleted). This will only occur when you click Save changes at the bottom of the GDPR section. An alert will let you know how many archived and active candidates are about to be deleted. Click Save changes to confirm the details and initiate the automation.

When a candidate meets the qualification for deletion they will be deleted from your Workable account. Their candidate profile, as well as their Timeline, will be removed and will not be recoverable. You will not be notified when this occurs.

Updating remaining candidates

Enabling the switch for automated data retention management will provide an option to email any remaining candidates with your Privacy Notice and a link that would enable them to delete their own data.

We recommend that you choose this option, and email the remaining candidates. This will ensure that the candidates, who applied before your GDPR Privacy Policy was set up in Workable, receive a link to view it. You’ll have a clean slate and will not need any further planning or communication around notifying your existing candidates about GDPR.

Screenshot_2020-01-17_at_1.08.41_PM.png

If you choose to ignore the candidates you should follow up at a later date with more details.

Sourced candidates who have been in your account for more than 30 days can be emailed before deletion. If you choose this option they will all be classified as ‘contacted’ and thus will not be deleted as ‘non-contacted’ sourced candidates after 30 days.

Non-contacted sourced candidates who are less than 30 days old will not be contacted at this time. When you first reach out to them an email footer will be included that contains a link to your Privacy Notice.

If there are candidates in your account without email addresses it will not be possible to share the Privacy Notice with them. These candidates will be treated as non-contacted sourced candidates and will be deleted after 30 days.