How are we planning to ensure compliance with the new GDPR for EU citizens serving as applicants?
Consent: In addition to the account creation page for applicants, we are adding a checkbox notifying the applicant of their rights and how their data will be collected and used. They will be unable to create an account and apply to a program without providing consent to collect and store their data.
Mandatory Breach Notification: We must notify the supervisory authorities within 72 hours of discovering a security breach.
Right to access, Right to be forgotten, & Data portability: Three requirements in which we are already compliant. Unless the applicant's records have been deleted, we always avail the records to applicants upon their request in a universal format (csv and/or PDF) and will also delete their records, in full, immediately upon their request. We notify the associated provider(s) of the deletions and you will also be required to delete any records you have obtained from those applications.
Data of any kind is never shared with third parties. The data collected on your behalf is available only to you and your admins, can be deleted partially or in full by you, and all data collected by us in your behalf can and will be permanently deleted upon your request.
This is all part of our company policy today and applies not only to citizens of the EU, but all applicants. We respect every individual's right to privacy and their own personal data and we know our clients do as well.
Privacy by design: This means security must be build into the process and products from day one. While we are continuing to research and ensure we are in full compliance with this requirement, preliminary review shows that we are in compliance today. As we conclude our research, we will update this post.