How are we planning to ensure compliance with the new GDPR for EU citizens serving as applicants?
Consent: In addition to the account creation page for applicants, we are adding a checkbox notifying the applicant of their rights and how their data will be collected and used. They will be unable to create an account and apply to a program without providing consent to collect and store their data.
Mandatory Breach Notification: We must notify the supervisory authorities within 72 hours of discovering a security breach.
Right to access, Right to be forgotten, & Data portability: Three requirements in which we are already compliant. Unless the applicant’s records have been deleted, we always avail the records to applicants upon their request in a universal format (csv and/or PDF) and will also delete their records, in full, immediately upon their request. We notify the associated provider(s) of the deletions and you will also be required to delete any records you have obtained from those applications.
Data of any kind is never shared with third parties. The data collected on your behalf is available only to you and your admins, can be deleted partially or in full by you, and all data collected by us in your behalf can and will be permanently deleted upon your request.
This is all part of our company policy today and applies not only to citizens of the EU, but all applicants. We respect every individual’s right to privacy and their own personal data and we know our clients do as well.
Privacy by design: This means security must be build into the process and products from day one. As part of SmarterSelect’s practices and internal policies, data collected by and held within our databases is never distributed to or accessible by third parties. Privacy of user and application information is considered as a matter of our policy and culture any time we add new features or make changes to existing features and processes.
What is your role & responsibility as a program administrator?
While SmarterSelect stores, collects, and protects your data, it is still your data. Therefore, it is important that you and your organization review the GDPR and ensure your practices and policies are also inline with the requirements as you have full access to the data, including the ability to export and store the data at your own facilities.
If you receive a request from an applicant who desires to have their account or applications removed, please be sure to also contact our Support Team to ensure we also delete such information from our records as well.
Last Revised May 6, 2019