All Collections
Adapt Training Articles
GDPR Adapt Overview
FAQ - GDPR functionality in Adapt
FAQ - GDPR functionality in Adapt

GDPR Client Question & Answers for Adapt v 2.8

J
Written by Jackie Read
Updated over a week ago

Q: Who will have permission to delete records? 

A: We can set two types of deletion access. One to delete records (soft delete) from Quickfind/Fastfind. One to delete records (hard delete) to send them to queue via the ‘Stop Processing’ workflow to be hard deleted in line with GDPR.

Please contact Client Services to set delete access across your system.

Q: Can the mandatory type of GDPR communications be automated within the adapt workflow? 

A: You are able to send a batch email from the system but there are no automations by Adapt regarding recording responses – these will need to be processed according to each individuals’ consent or objections.

Q: The right to access link is only if we have the online portal? We are on the Standard OnDemand platform – is this available to us?

A: Yes, the portal has been developed for our OnDemand Solution so this will be available to you. A new workflow is available in the system for a ‘Subject Access Request’ which then sends a URL and log in to the candidate for them to log into the portal where they can view the personal information you hold for them. 

Q: Can we receive consent via phone from the candidates? 

A: As long as consent is logged in the Adapt system using the workflows provided, a journal note will be generated to show that you have gained consent. So, receiving this via telephone from the candidate should be fine. 

Q: What happens to all the Contacts and Candidates who are already in the system? Do we need to get their consent even though they are in our database already? 

A: Yes, you will need to gain consent to process any personal data, unless you are using the Legitimate interest approach. If you are using the Legitimate Interest approach you can cover this in your privacy policies to advise how you will be processing their data.

Q: Sending the consent form seems a manual task. Can we send a link out, rather than having to scan the signed form (which people won't print/return) ?

A: Yes, you can include a link in the email template if you wish. The management of the response would be down to the agency. The response would need to be tracked using the Consent received workflow in Adapt.

Q: Will they be able to see Adapt CV's (the ones we reformat) via the portal?

Yes, all document library folders and documents within these categories will be visible. Anything held in the confidential folder will not be visible.

Q: Are the email templates provided or do we need to write our own?

A: The template is set up as standard but the wording can be amended, so please contact clientservices@erecruit.com and the team will update this for you. 

Q: Do we need to send consent forms to contacts at our clients as well?

A: If you are taking the consent approach, this will also apply to contacts as you are processing their data.

Q: Are there specific workflows for Permanent Candidates? We use Adapt for Perm Vacancies only not Temps and also use it for storage of information.

A: The changes we are making applies to all types of candidates, not just temps. The workflows are available on all candidate records regardless of their role type. 

Q: If you retain and restrict someone can that data then be recovered if they come back or do we need to get it all again?

A: Yes, the record will be recovered to its original state. You can run a workflow to change the view from ‘Restricted’.

Q: Retain and restrict is the best course when someone wants legitimately removing BUT as a company we need some sort of record because we do not want to re-approach- i.e. bad client feedback, bad experience- want flagged on system with no personal data. Our plan was to delete the record totally and then create a shell record- this is the alternative and sorts all the linking?

A: When you run the restrict action, you will fill in the mandatory fields to record why you are placing this record in restricted mode. Once the workflow is confirmed, the record is cleared down of all personal data (the data is hidden from view). The candidate name and ID will be the only information visible and this record will then have a status of ‘Restricted’.These restricted records are searchable from the People>Home menu.

Q: Is there anything changing re the specific due diligence compliance and permissions as these are higher risk areas - passports etc- i use the compliance section a lot.

A: There is an ‘Explicit Consent’ section in the workflow where you would record your criminal conviction and special category data such as race, sexual orientation or region and the system will ask you to confirm that you have explicit consent to record this data. 

Explicit Consent needs to be obtained separately to the General Consent of the record.

Q: When we log a reference in Adapt, there are mandatory fields for contact details. Are you looking to remove these fields so that if a candidate requests to see their references, the contact details will not be present?

A: The option to record personal data of the ex-employer will remain in the create reference workflow as the agency will need these details to contact the client for their reference. The reference that the ex-employer sends back can be saved in the Confidential folder and the user can save an additional and updated copy of the reference (without the contact personal details) into the reference folder for the candidate to access via the portal. 

Q: Are we able to move documents from other folders into Confidential folder? And other way around? 

A: Yes, you are able to move documents from one folder to another. This way you can transfer any confidential documents/documents you do not wish the candidate to see into the Confidential folder. 

Q: In line with the GDPR Legislation, we need to communicate to the authority, in less than 72 hours, if in our Data Base there is a cyber attack or a loss of information for an external factor. Could you please confirm that your system is prepared to face these issues? 

A: We have several security measures in place for holding your data. Please see our Security Breach document for more details along with our ‘Security, back ups & Disaster Recovery’ Document. 

Q: Is there a way of grouping the consent into different categories so we don’t have to update each candidate individually please?

A: No, each candidate will need to be updated individually and manually using the new workflow available.

Q: Is it possible to delete or edit on the comments section in adapt?

A: You are able to edit journal entries but this will be time and date stamped that an amendment was made. 

Q: Do the workflows offer the agency to record both consent and legitimate interest? 

A: Yes, on all workflows demonstrated in the webinar, you have the option to record consent or legitimate interest.

Q: If a candidate applies for a job via broadbean and we upload their CV into Adapt, even if we don't use this candidate at the time do we need to send him a "permission email" and do they have to come back to us to accept before we use their data?

A: If using legitimate interest, you must inform the individual that you are processing under legitimate interest, and track how they have been informed of their rights. They do not have to reply to this, or ‘consent’ to anything before you start processing the data further. There is no strict rule on when you should inform them under Legitimate Interest, but to be safe, you could use the 30 day rule. Inform the candidate within 30 days of the date at which you started processing (i.e. received an application to a job via Broadbean). Even if you don’t ‘use’ the data – it is still available for processing by being searchable in the database from the date you import it into Adapt.

We believe Broadbean are creating some tools such as auto response emails for clients who are taking the legitimate interest approach, but you would need to contact your Account Representative at Broadbean for further information on this.

Q: Can you have explicit and legitimate consent together? I.e. If we are scanning eligibility documentation.

You would need to complete a Legitimate Interest Assessment to clarify for yourselves whether this is acceptable.Under this link you will see a section that talks about the type of data that is processed: -

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/how-do-we-apply-legitimate-interests-in-practice/ 

Here is some information we have obtained from the link: 

“Nature of the data

You need to think about the sensitivity of the personal data you intend to process. For example:

  • Is it special category data?

  • Is it criminal offence data?

  • Is it another type of data that people are likely to consider particularly ‘private’, for example financial data?

  • Are you processing children’s data or data relating to other vulnerable individuals?

  • Is it data about people in their personal or professional capacity?

The more sensitive or ‘private’ the data, the more likely the processing is to be considered intrusive or to create significant risks to the individual’s rights and freedoms. For example, by putting them at risk of unlawful discrimination. You are likely to need a more compelling reason to use this type of data, and take particular care to put adequate safeguards in place…

How do we decide the outcome?

You need to weigh up all the factors identified during your LIA for and against the processing, and decide whether you still think your interests should take priority over any risk to individuals. This is not a mathematical exercise and there is an element of subjectivity involved, but you should be as objective as possible.

You must be confident that you can show why the benefits of the processing justify any risks you have identified. The more significant the risks, the more compelling your justification must be…”

Q: Are we no longer able to do diversity monitoring which is optional for candidates to complete for us? 

A: If using the consent approach, you would need to obtain explicit consent in order to capture the special category data required for diversity monitoring.If you are considering using the legitimate interest approach, you should ensure that you have completed a Legitimate Interest Assessment and satisfied yourselves that under this method of processing, it is acceptable to process this type of data – see the following link for further information - - https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/how-do-we-apply-legitimate-interests-in-practice/

Q: Can we default the date of expiry to 2 years from obtaining consent?
A: No, as consent is contextual we decided not to enforce a default expiry date that would be applicable to all customers

Q: Can the candidate see anything relating to their placement on the subject access request portal?
A: No.  Only personal data relating to the candidate will be visible to them.  Full details of which fields in Adapt will be visible on the portal will provided in the release documentation.

Q: Will Adapt ever be able to integrate with DocuSign? As this is imperative to our daily workflow.
A: Yes, it is definitely on our roadmap to include this capability at some point, we just cannot confirm exactly when whilst we evaluate other enhancement requests that are more in demand at present.

If you have any further questions, please do not hesitate to contact the Client Services Team on clientservices@erecruit.com or call us on 01903 707018.

Did this answer your question?