Recruitment GDPR

GDPR for Recruiters

Get ready over night and take the fear out of GDPR

GDPR aims to provide eight new rights for individuals that businesses must now demonstrate their ability and willingness to offer. Here’s a rundown of how Firefish assists our customers to comply with this.


1. The right to be informed


Under GDPR, individuals have the right to be informed on how a business has acquired their data as well as how it will be stored and used. Once users have decided their lawful basis for processing personal data, they can update a Candidate Privacy Agreement on their Firefish website page (similar to a Terms of Use and/or Cookies Privacy outline). The Candidate Privacy Agreement needs to provide clear, unbundled clauses for the candidate to opt into, and these clauses should explain how, why, and for how long you’re going to store their data for.


As Firefish Software converts candidates straight in from a user’s recruitment website, our customers can automate the tracking of each candidate and clearly indicate the date/time that they choose to opt into the Candidate Privacy Agreement.


For the rest of the candidates that a user’s recruitment team choose to manually register or accept in from email or job board channels, the recruiter will have to indicate the legal right under which they are processing the candidate’s data or send the candidate access to their white labelled preferences page which will allow the candidate to confirm their unbundled communication preferences.


For any candidate that has been on a user’s database for more than 28 days without a clear legal preference being selected, the compliance and/or Super Users will be notified and prompted for action. 


2. The right of access


From day one of developing Firefish in 2010, we’ve always put the candidate first, so GDPR fits our model exceptionally well. We believe the best way to earn trust and ensure complete data accuracy is to allow candidates to clearly access their personal data that you’re storing on them from the outset.


GDPR also recommends that “where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information” (source: ICO)


To facilitate this, all our customers have a fully branded and mobile-responsive candidate portal where candidates can log in to update their cv profile, job preferences, communication options and track their recruitment activities from any location, at any time. 


3. The right to rectification


Candidates must now also have the ability to edit, update and rectify any missing or incorrect information you have stored on them. Candidates can also clearly see which jobs they’ve agreed to share their information with and state any companies that they do not want their details to be shared with. Firefish then ensures that every recruiter using our system respects the candidate’s requests by warning or blocking the recruiter if they try to shortlist, spec or alert the candidates to any jobs they don’t want their details to be shared with.


For further access to our Data security and trust policy please View   -


4. The right to erase


Under GDPR, candidates will be able to submit a ‘request to be forgotten’ at any time, or if you’re using legitimate interest as the legal basis for storing their data, the candidate can raise an objection or request your justification for doing so.


Each candidate has the ability to initiate the ‘request to remove’ workflow, which will in turn notify Super Users or compliance users to either get in contact or delete the candidate record.


As a candidate engagement engine, Firefish also audits all forms of engagement which can extend a candidates lifetime value with our users. Firefish keeps candidates actively engaged with your businesses via relevant job alerts, engaging blogs, recruitment events, campaigns or company news. This content keeps helps to broadcast your employers brand make sure that you are the first point of contact for their next job.  not only does Firefish make it easy for recruiters to generate this content, but we provide a complete audit trail of the candidate’s engagement with the company too.


If a candidate has not been actively engaged within the pre-defined data retention period, Firefish will automatically alert users of candidates who either need to be reengaged with or deleted from the database.



5. The right to restrict processing


Every time a candidate fails to show up for an interview - or even worse, their first day on a new job – by default, they’re restricting a business’s ability to process their information.


Firefish is taking the approach of encouraging candidates to be more professional and make it easy for them to tell a company that they’re not interested in the position anymore. Each time a candidate submits their details with interest in a role, they will also have the ability to withdraw their interest at any time via their candidate portal, and this will automatically restrict a recruiter’s processing during that particular recruitment process.


6. The right to data portability


Under GDPR, the candidate must have the ability to download and export their information at will, and if requested, businesses have the new GDPR-standard of 30 days to comply with their request.


To prevent this from becoming yet another time-consuming admin task to add to workloads, Firefish has integrated an automatic ‘export’ button on each candidate’s record, so they can easily export their profile information with one click. 


7. The right to object


We’re making it our mission to ensure our users are best placed to avoid any ‘right to objects’ from candidates, and the area where candidates are most likely to object to recruiters’ actions will concern direct marketing. Firefish combines all marketing activities in one place and prevents recruiters from accidentally reaching out to a contact who has opted out of marketing.


All candidates can clearly opt in and out of individual marketing channels at their free will (e.g. email, job alerts, SMS, and email campaigns) and these preferences are taken into account when a recruiter creates a new recruitment campaign too. For example, if a candidate has opted out of receiving email marketing or SMS messages, the recruiter will not be able to include that candidate in either an email campaign or bulk SMS marketing, therefore ensuring that recruiters abide by the candidate’s wishes and permissions at all times.


8. Rights in relation to automated decision-making and profiling


Finding the perfect candidate isn’t just about how they look on paper, which is why technology will never replace the recruiter when it comes to selecting the best candidate for a job. Whilst technology should enhance the recruiter’s tool set and help them become more effective at what they do, there are decisions involved in the recruitment process that will always be up to the recruiter to make.


And this is exactly the philosophy that our software adopts: We make potential matches on contacts, companies, candidates and jobs to streamline recruiters’ efforts, save them time and guide them in the right direction. However, these matches are based on information provided and accessed by the candidate directly – there’s no automated decision-making when it comes to processing or profiling.


Advanced Security


Once data is collected, it needs to be stored in a secure manner and in accordance with the security provisions of the GDPR. This means appropriate technical and organisational security measures must be used to protect personal data against unauthorised processing and accidental loss, disclosure, access, destruction, or alteration.


We operate under a great partnership with Microsoft Azure, providing our customers with the enhanced protection and 99.98% availability that the service provides and are regularly updating our Data and Security Policy to demonstrate our dedication to ‘privacy by design’.