Applying your Data Privacy Policies into Invenias

Overview

This article will cover the process to implement your choice of settings and content for the GDPR Module.

This article covers:

New User Permissions

There are three new Permissions introduced in this release which apply to this feature. Before enabling and configuring this module we would advise to review these permissions and assign to the relevant users in my.invenias.com.

Edit Data Privacy Record

This permission allows the user to make changes to the settings and configuration of the central Data Privacy Record, accessible to all users from the Invenias tab in Outlook.

Edit Data Privacy Settings for Company and Assignment Records

This permission allows a user to Edit the Data Privacy settings for Company, Company Location and Assignment Records. Consent can be enforced for candidates who reach a certain progress status. Click here for more information on this feature.

Delete a Person Using the Right to Be Forgotten

This permission allows a user to delete a Person Record using the Right to Be Forgotten.

How to Enable the Data Privacy Module

Permission Required: Please note, to access System Preferences you need the "Access System Preferences" permission

Data Privacy can be enabled within System Preferences by navigating to Global Settings > Data Privacy and checking the Enable Data Privacy box:

By default, this feature is labelled ‘GDPR’, but this is customizable to suit your business requirements.

Configure GDPR Record

After the feature has been enabled, you can configure the settings for this feature by opening the GDPR Record. Click to the Invenias Tab in Outlook, then into GDPR:

The GDPR record will open. This record is accessible to all users and is used as a central point of reference for storing GDPR Documentation and associated settings in Invenias.

Permission Required: Please note, to Edit the GDPR Record, you need the "Edit Data Privacy Record" permission

Data Privacy Representative

Data Privacy Representative - This field allows you to select an Invenias user as the main point of contact for any GDPR related inquiries. e.g. Right of Access Requests, Right to be Forgotten, etc.

Default Settings for New Records

Default Purpose(s) - Purposes selected here are added by default to all new and existing records.

Default Lawful Basis - The Lawful Basis selected here is applied as the default to all new and existing records. Your default Lawful Basis can be any one of:

  • Contractual Necessity
  • Legal Obligation
  • Legitimate Interest
  • Public Interests
  • Vital Interests

Your default Lawful Basis for your database cannot be consent, as this would place all existing records in your database in a state of Consent not Requested, placing a huge immediate burden on requesting consent from all people on your database. Instead, selecting a Lawful Basis not requiring consent and then systematically updating your database to request consent if you feel necessary is a more manageable process.

Consent Term - This field defines the default number of months to be selected by default when a user requests consent from a person.

Note - If you change the Default settings at a later date after you have already informed some people on your database, or set unique Purposes and Lawful Bases uniquely for people then the changes to the Default settings will not update on these records.

GDPR Authorities

GDPR Authorities - This section can be used to document the Data Privacy Authorities that apply to your organisation. For example, in the UK this is the Information Commissioners Office (ICO), who deal with all Data Protection related matters. Your GDPR authorities are set up as Company Records, and from the central GDPR record you can either select existing company records or create a new one for your authority.

Additionally, should you operate across multiple countries, you will need to define a Lead Supervisory Authority using the checkbox which should be the authority located in the country of your main business residence.

Purposes

This section displays a list of all purposes for storing and processing data for people in your database. This is a fully configurable list and should reflect the specific purposes for why you are holding and processing data on people for your organisation's business practices and workflows.

An example purpose: Executive Search – Board Search

Description: Personal Data is collected, processed and distributed with the intent of identifying and presenting suitable candidates for Executive and Board employment roles with clients who have indicated a requirement for such roles. The data may be sourced from public sites containing contact and CV data, from potential candidates directly, from interviews and interactions with potential candidates and other connected parties and from online sources and will be provided to clients seeking to fill such roles.

Lawful Basis - Legitimate Interest

To Edit purposes, click the EDIT button, under the list of purposes to open the following window:

To add a purpose, Click Create New Purpose. You can edit the Title, Description and Required Lawful Basis of any Purpose by clicking into the grid and clicking OK to save your changes.

If you edit a purpose that has already been assigned to People Records who have been Informed / Consent Approved, you should consider whether it's appropriate to Inform / Request their Consent again. This will depend on the nature and extent of the changes.

When selecting the Lawful Basis for a purpose, bear in mind that if a Lawful Basis is selected that require's consent, this purpose cannot be saved to a person without consent being selected as the Lawful Basis in the Person Record.

If you mark a Purpose as "Inactive", this will prevent the purpose from being assigned to any records. This will not remove the purpose if assigned already from any existing records.

Permission Required: Please note, to Edit Purposes, you need the "Edit Data Privacy Record" permission

These purposes can be selected and applied individually for People Records and also for default settings.

Lawful Bases

This section displays a list of all Lawful Bases for storing and processing data for people in your database. By default this list will be populated by the 6 Lawful Bases included in the GDPR legislation. If there are any Lawful Bases that do that apply to your organisation you can make them inactive by clicking into EDIT:

To add a Lawful Basis, Click Create New Lawful Basis. You can edit the Title, Description and make any Lawful Basis inactive by clicking into the grid and clicking OK to save your changes.

If you edit a Lawful Basis that has already been assigned to People Records who have been Informed or have given their consent, you should consider whether it's appropriate to Inform them, or Request their Consent again. This will depend on the nature and extent of the changes.

If you mark a Lawful Basis as "Inactive", this will prevent the Lawful Basis from being assigned to any records. This will not remove the Lawful Basis if assigned already from any existing records.

Documents

GDPR legislation requires organisations to demonstrate they have understood and taken proactive steps towards GDPR Compliance. To assist Invenias customers with this requirement we have provided a number of Document Templates which can be downloaded and amended to assist with fulfilling this aspect of compliance.

Note that these should not be a substitute for legal advice, you may need to seek your own legal advice when using these templates.

Enforcing Consent

If you wish to enforce a requirement for consent for all candidates in all Assignments who reach a certain stage in the Assignment, you can do this by clicking into the Enforce Consent button in the toolbar of the Data Privacy Record:

This opens the following settings window:

To enforce consent, change the Consent Required button to Yes. You can then select which Candidate Progress Status, Lawful Basis and Consent Behaviour options are selected to your preference.

Invenias users can override these settings (with the correct Permission) and set Consent Requirements uniquely for individual Companies, Company Locations and Assignments. This section of the Data Privacy User Guide details how to do this.

Create / Edit Email and Document Templates

You can edit these or create your own Templates using the Invenias Word add-in. This feature allows you to add the following new template fields:

  • CandidateConsentExpiryDate
  • CandidateConsentPeriod
  • CandidateLawfulBasis
  • CandidateLawfulBasisDescription
  • CandidatePurposes
  • CandidatePurposesAndDescriptionsBlock
  • PersonConsentExpiryDate
  • PersonConsentPeriod
  • PersonLawfulBasis
  • PersonLawfulBasisDescription
  • PersonPurposes
  • PersonPurposesAndDescriptionsBlock

You may wish to direct people to your own Privacy Policy, you can do this by including a hyperlink in your email templates.

Configuring Data Privacy Premium

Click here for an admin Guide on configuring this premium feature.