idibu is GDPR compliant and fully committed to individual privacy. We are a registered data controller with the UK Information Commissioner’s Office (ICO), number ZA296954.
While GDPR requires more thought and care when interacting with candidates, we believe it is a positive opportunity to engage with candidates who are interested in what you have to say, thus, saving your team time to work more effectively and improve the perception of your brand.
Our objective is to provide tools to help you maintain your GDPR compliance. While we cannot and do not accept responsibility for non-compliant activity on your behalf, we ensure our own systems are compliant. We aim to provide best practise guidance and user journey’s inside our software systems, where we are able to.
Examples of how we can help are:
- Clearly marking records from candidates who have requested you do not contact them (if they have not been removed from the system)
- Disabling automated messages to go to candidates who have unsubscribed
A key understanding of how you interact with candidates comes from the definition of legitimate interest. If a candidate applies to a role you advertise using idibu, it is perfectly acceptable to believe they have ‘legitimate interest’ in being contacted by you provided it is in connection with finding a suitable job for them.
In this case, sending auto-responses or messages to the candidate on the status of their application is fine. However, you need to be aware that your definition of ‘legitimate interest’ will be up to you – how long you choose to interact with a candidate for other role opportunities after their initial submission, or risks you take by adding candidate data via other means (adding details manually, using our Chrome Clipper, CV Drop system, data imports) will be need to be set by you as a business, in a way that makes you feel fully comfortable.
Before GDPR becomes official on 25th May, 2018 – you will be required by us to accept our new terms and conditions that include your responsibility to be GDPR compliant and to update your current idibu candidates with an Opt in or Opt out status.
There is a positive opportunity to reduce noise to candidates, get rid of deadwood data – and allow your team to focus on the applicants who can really make a difference. If you have any concerns please contact your idibu Account Manager.
Frequently asked questions
What data is hosted or processed by idibu?
We hold candidate data, typically added into the idibu system via CV parsing tools. Data includes – name, address, email, telephone number, employment history and education. Other data provided by the candidate on their CV will be held within the documents attached to their idibu record. Data provided by the candidate to your users but not held within the CV can also be added manually by the user to the candidate record.
What is the purpose of idibu and how it uses the data?
idibu is a talent sourcing platform, allowing recruiters to multi-post adverts and process candidate applications. Candidate records can also be stored and talent banked for future opportunities if applicable.
Describe your server security and safety features
We keep all traffic encrypted with machines hosted via Amazon and Positive Internet. Our servers are managed by high level system administrators with regular security checks. Internal access to tools permitting client data access is protected with access keys.
Where is your data physically stored?
Our servers are in the UK and Ireland
Do you share any of our data with third parties? What is the reason and are they GDPR compliant?
Any third parties we work with must be GDPR compliant. idibu will not share data with any entity who cannot demonstrate this. We use Daxtra (ICO DPR Z5400781) CV parsing services to extract information from candidate CV’s such as latest role, work history and education to better enable our clients to work with candidate records, as well as power our Talent Pool searching.
We also utilise the services of FullContact to allow us to provide further publicly available social footprint information on candidates who are GDPR compliant (see their statement).
How can we inform you of a data subject’s ‘right to be forgotten’, and what processes are in place to comply with this request once you receive it?
idibu users with ‘delete’ permission are able to delete the candidate record from inside the system. The data deletion action is processed straight away when initiated by the user.
How you will comply with a data subject access requests?
How long do you retain candidate data?
Our standard period is 3 years after which we pseudonymise or remove the data completely. We are looking to introduce an update that will allow our clients to set a lower individual period if they wish.