Since May 25, 2018, the General Data Protection Regulation (GDPR) governs how personal data is acquired, stored and distributed between online service providers.
As a product with referrals dynamics at its core, Circular takes data privacy and GDPR very seriously. We also believe is a great opportunity for brands like ours, that is built on trust. That's why we worked with privacy experts at PwC to design a solid and GDPR compliant product experience.
SHORT VERSION ON HOW WE ARE GDPR COMPLIANT
We are like any other referral program (i.e. Airbnb's) and, in a nutshell, this is how we comply with GDPR:
- When you invite candidates to Circular –either via email or sharing your invite link– they have to give consent and signup in order to join the Circular community and start receiving interview offers (i.e. Circular is 100% opt-in for candidates you invite).
- If you invited them via email and they decide not to sign-up, we do not contact them ever again. We wouldn't be able to contact them even if we wanted because we don't store the referred candidate email address beyond 24 hours, just the unique, randomly generated link of their invitation to Circular.
- If you shared with them your invite link (outside of our platform) and they decide not to sign-up, we obviously don't have any information about the candidate.
THE FULL EXPLANATION
GDPR regulation –see full details in their website– has more items that we can cover in this article but we will focus on two areas that affect Circular the most: User Consent and Right To Be Forgotten.
1. User Consent
Circular dynamics are based on recruiters and hiring managers referring candidates into the platform so they can be sourced in other interview processes. But it is impossible to gain the referred candidate's explicit consent for their data to be used. After all it's not the data owner (candidate) but someone else (recruiter or hiring manager) who uses their email address to send an invitation.
When designing Circular, we faced two main challenges around consent:
- Storing referred candidate's data before they accept the invitation (or if they don't)
- Acquiring permission once the candidate accepts the invitation
Let's see how we solved those challenges depended on how the candidate is invited, via email or sharing their invite link:
Referring candidates via email (inside the platform)
When referring candidates via email we use a 3rd party email source (the recruiter or hiring manager) to invite the data owner (candidate) to join Circular.
We send the candidate one email on your behalf, with a randomly generated invitation link. We do not store the candidate email address after 24 hours so we will never send any other emails to them.
Referring candidates via invite link (outside the platform)
Your invite link leads to a signup form for candidates that is uniquely linked to you. When a candidate signs up through it, we send you an email so you can write a recommendation for them.
2. Right to be forgotten
We give candidates extended control over their data: allowing them to remove referrals from their profile, switch to "not available" status to stop receiving interview offers, unsubscribe from any communication, decide the channels they want to be contacted from, etc.
More important, candidates (and recruiters) can delete their account from the platform anytime. That option completely removes from our database not only all the their data but also the activity they've generated in Circular.