The GDPR and enrola
Making apprenticeship recruitment GDPR-ready
If you’re a Training Provider, College or Employer, you’ve probably heard of the General Data Protection Regulation (GDPR).
These laws are aimed at enhancing the protection of EU citizens’ personal data and ensuring organisations to deal with that data in transparent and secure ways.
At enrola, we’re currently hard at work ensuring we’re GDPR-compliant. But equally important to us is helping you, our partners and customers, understand what the GDPR means for your businesses and build compliant processes of your own.
If you’re using enrola for your Apprenticeship recruitment then you need to know what we’re doing to meet GDPR compliance.
We’re fully committed to enhancing the enrola platform to enable compliance with the GDPR. We started this work some time ago, but we’ll be working on meeting our obligations to reach full compliance up to the 25th May and beyond
Frequently Asked Questions
When does GDPR come into force?
The GDPR will take effect from 25th May, 2018
When will enrola be updating its legal documentation (Terms of Service, Privacy Policy, and Data Processing Agreement)?
We’ll be updating our Terms of Service, Data Processing Agreement, and Privacy Policy by 25th May, 2018 at the latest.
We’re working to roll out these updates sooner than that.
What happens to GDPR after Brexit?
The GDPR is legislation created by the EU in 2015, that has been in force since 25th May 2018.
Although the final relationship between the UK and EU is not known, the Conservative Government has indicated that they want to break with all of the EU’s legal bodies, and be subject only to UK created legislation.This means that technically the GDPR doesn’t necessarily apply to UK companies once the UK leaves the EU.
However, this isn’t strictly true for several reasons:
- The EU and UK has agreed a 2 year (currently) transition process till 31st December 2020, with the UK requiring to adhere to EU law (including GDPR) until that point.
- If you process data subjects that reside in the EU, then they’re still subject to EU law. This means the the GDPR will still apply to these applicants.
Parliament passed a new Data Protection Bill through the House of Commons on 23rd May 2018. This bill will place the GDPR into UK statute.
It makes sense for UK businesses to be GDPR compliant prior to the new legislation being passed.
Will enrola be able to comply with the right to erasure (right to be forgotten)?
Yes. When one of your applicants (i.e. data subjects) asks you to delete them from your records, you can contact us and we’ll delete the data for you quickly and easily.
If this is done in error, you’ll have 7 days to contact us to restore the record/s into enrola; after this point the data is permanently deleted.
What is SSL? Does enrola have it?
Secure Sockets Layer (SSL) is a method for transporting data securely between two points over the internet. It has since been replaced by Transport Layer Security (TLS), but most people still refer to this as SSL.
The quickest way to see if a website has SSL is by checking the web address; if it’s fully encrypted then it will start with HTTPS, and depending on the browser you use, have a padlock next to it.
enrola has complete SSL encryption across all parts of the system. Our APIs are also fully encrypted, so you can have complete confidence that data is being transported securely.
Want to find out more? Book a demo today
If you’d like to see for yourself what enrola can offer you and your team, then contact us and we’ll arrange a short demo either online or in person (your choice!)
Keeping data safe and secure
This is Martha.
In this example Martha is an applicant. She’s called the Data subject, and your company (let’s call you “Top College”) is called the Controller of that data. If you’re a enrola customer, then enrola acts as the Processor of Martha’s data on behalf of Top College.
With the introduction of the GDPR, data subjects like Martha are given an enhanced set of rights, and controllers and processors like Top College and enrola, have an enhanced set of regulations to comply with.
GLOSSARY
Data Subject
Someone that you collect data on to complete a process (in this case, an application)
Controller
The organisation that collects personal data and decides how to use that data as part of their business processes
Processor
A company/organisation like enrola that helps a controller by “processing” data based on its instructions, but doesn’t decide what to do with data.
GDPR Product Roadmap
This is what we’re doing to ensure that the way we process Martha’s data meets GDPR compliance. This table lists the features we’re building to help you be compliant. A quick note on timelines: we’ve already started to build many of these new features, and we’ll continue to ship them regularly over the coming months.
Our planned timeline is to have every feature on this list completed by 25th May. As we add more provisions to meet GDPR we’ll update this page.
GDPR Feature
What it means
What we're doing about it
Lawful basis of processing
You need to have a reason to use Martha’s data. That reason could be consent (she consented to her data being processed when she applied) with notice (you told her what she was opting into), or what the GDPR calls “legitimate interest” (e.g. she’s applied for an Opportunity unsuccessfully in the past, and you want to send her other Opportunities that you think she would be more suitable for).
You need the ability to track that reason (also known as “lawful basis”) for a given contact.
In addition, you’ll be able to track and audit the grant of lawful basis using the property history for that new property.
enrola’s applicants will now need to tick their consent to allow them to progress their application.
We are also enhancing the functionality that allows applicants to be transferred to a different vacancy (Reassign to new Opportunity). Now when you decide to reassign them, they will be notified by email of the fact and allowed to refuse if they don’t wish to be contacted about future Opportunities.
All this information is automatically time and date-stamped, and recorded on the Applications Log section of the Applicant record.
Consent
One type of lawful basis of processing is consent with proper notice. In order for Martha to grant consent under the GDPR, a few things need to happen:
• She needs to be told what she’s opting into. That’s called “notice.”
• She needs to proactively opt-in (pre-checked checkboxes to opt out from don’t count). Even if she completes an Application Form, you cant use that alone as evidence of opt-in.
The primary way that you’ll acquire applicant data is through Application Forms. As part of our improvements to Application Forms in enrola we will be including a universal consent section at the bottom of any Application Form which Martha will need to agree with prior to submitting an application.
We already log the interactions that happen through enrola with Martha automatically in our Application Log panel.
Once Martha submits her application, we’ll log the consent she provided, and the timestamp of the interaction.
An additional detail on notice: if you need to link out to additional notice provisions (like your own policies on GDPR), you can do so using hyperlinks in emails on Recruitment Workflows, or by creating a custom disclaimer to attach to application forms.
We’re also making this opt-in mandatory for other forms of data creation as well. This means that users will be required to confirm that they’ve received the correct consent prior to importing data via CSV files (for example).
enrola has created disclaimers to ensure that the applicant knows their data will be checked, securely transported to other 3rd party systems (where applicable). They can also consent to their application being moved to different Opportunities if the Controller thinks it appropriate.
Withdrawal of consent (or opt out)
Martha needs the ability (as a data subject) to see what she’s signed up for, and withdraw her consent (or object to how you’re processing her data) at any time if she chooses to.
In other words, withdrawing consent needs to be just as easy as giving it.
All interactions with Martha are recorded in enrola, either in the Application Log, or the “Activities” section. If she as a data subject would like to see this information, then all she needs to do is contact either yourself or us.
You can then put in a request to enrola Support via Live Chat or email (support@enrola.co.uk) and we supply you with a copy of Martha’s consents. From this point she can choose to update her consent preferences, or have her data removed altogether (“Deletion“)
Deletion
Martha has the right to request that you delete all the personal data you have about her. The GDPR requires the permanent removal of Martha’s contact from the enrola database, including email tracking history, call records, form submissions and more.
In many cases, you’ll need to respond to her request within 30 days. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply.
If you’d still like to delete Martha’s data from enrola permanently at that point then you need to put in a request to enrola Support via Live Chat or email (support@enrola.co.uk) and we will remove Martha’s data from your enrola database.
Access/Portability
Just as she can request that you delete her data, Martha can request access to the personal data you have about her. Personal data is anything identifiable, like her name and email address. If she requests access, you (as the controller) need to provide a copy of the data, in some cases in machine-readable format.
Martha can also request to see and verify the lawfulness of processing (see above).
If Martha would like to receive her personal data from enrola then you need to put in a request to enrola Support via Live Chat or email (support@enrola.co.uk) and we will remove Martha’s data from your enrola database.
Modification
Martha can also ask you to modify her personal data if it’s inaccurate or incomplete.
If and when she does, you need to be able to accommodate that modification request.
In enrola, if Martha asks you to change or update her information, you can easily do so from within her application record.
Security Measures
The GDPR requires a number of data protection safeguards, from encryption at rest and in transit to access controls to data pseudonymization and anonymisation.
We’ve always been concerned at enrola about data security – and we’ve taken even more steps to enhance our systems further.
enrola has always had SSL encryption (see the FAQ above for more information)
enrola is hosted on Amazon Web Services (AWS), the same web hosting system employed by the Government, Samsung, NASA and many other organisations.
AWS has conducted it’s own GDPR audit and declared itself GDPR ready, but we’ve also taken out further steps, and encrypted the enrola databases on our already encrypted servers.
The encryption keys for our servers are also 4086-bit hashed and encrypted to reduce the risk of a bad actor accessing the system were the keys to be taken.
The enrola API is also fully encrypted, allowing for secure data transportation between ourselves and third party software.
We’re also drawing up a Data Processing Agreement that our integration partners will need to sign up to to ensure that they have high standards of data encryption and security.
Want to find out more? Book a demo today
If you’d like to see for yourself how enrola is getting ready for GDPR and beyond, then book a demo today – we’ll be delighted to show you!