AllyO and GDPR: Addressing Privacy for AI Recruiting Platform

By Nick Possley, Head of Data Products and Engineering

AllyO, a leader in HR technology, addresses privacy requirements in GDPR. Employers in the EU can plan to utilize AllyO AI recruiting platform to automate their recruitment workflows without the worry of GDPR compliance.

GDPR Background

GDPR stands for General Data Protection Rights. It is a new EU law designed to protect individuals data from being misused and invading their privacy. It is effective May 25th, 2018. Here’s a link to the GDPR page for more background:

EU GDPR Information Portal

In addition, here’s another link that breaks down the law into simple terms article by article:

https://blog.varonis.com/gdpr-requirements-list-in-plain-english/

The law applies to companies who specifically target EU citizens with their products, services and marketing and requires the following:

1. Consent: Before collecting data, users must give consent. Consent must be explicit, simple and clear in what data will be collected, how the data will be used, how long it will retained, who to contact to manage it, who will access it, how it will be protected, etc.
2. Opt in / out: In addition to consent, the user must be able to opt in or out of different services tied to their data. For instance, they can choose to opt in for profiling as it may give them better targeted ads for product they care about and they have agreed to it.
3. Data Management: User must be able to delete, update, modify, opt-in or opt-out of services, download their data in a machine readable format, and/or access a log of all data accesses that includes when and who, at any time.
4. Secure Infrastructure: At a minimum, data-at-rest (data stored in a database) must be encrypted and protected from unauthorized access. Data-in-motion should also be encrypted and protected. Furthermore, data stored should be pseudonymized to ensure that personal identifying information is not easily accessible in one place.
5. Privacy Centric Processes: Only collect the data you need to perform a given service. Do not collect more than what is necessary and only hold on to data as long as you need to provide a given service.
6. Breach Detection and Notification: Infrastructure must be added in order to detect data breaches and notifications sent within 72 hours once a breach is detected.

One additional consideration is the role a company plays in utilizing the data. There is a controller and a processor. A controller decides what data needs to be collected and how it needs to be processed. A processor processes the data as defined by the controller.

Penalties for non-compliance are quite high. A minimum of €20M or 4% of turnover, whichever is more.

While privacy is important to protect for customers and individuals, it will take time, effort and investment to support all of these capabilities. In the meantime, it can be unclear, when GDPR is applicable and when it is not. According to Article 3 (https://gdpr-info.eu/art-3-gdpr/), this regulation applies when goods or services are specifically targeted to EU citizens or EU citizens are specifically monitored / profiled no matter where the company resides. If a North American company offers goods or services in the EU for EU citizens, then they fall under GDPR. Conversely, if a North American company offers goods and services to North American citizens, it does not fall under GDPR even if an EU citizen decides to login into the North American website. Here’s a link with a nice analysis of this problem: https://iapp.org/news/a/what-does-territorial-scope-mean-under-the-gdpr/

Certifications are another area that is gray, but will likely become required as liabilities are quite high for non-compliance. There are certification bodies that are starting to emerge such as http://www.eugdpr.institute/obtaining-a-eugdpr-institutes-gdpr-certification/.

AllyO’s take on GDPR

From AllyO’s standpoint, our NLP technology is a great fit for ensuring privacy controls as users can always interrupt the flow at any time to change something, they can ask in their own way, and then resume their conversation. They don’t have to find cryptic links on websites or sift through a long webpage to find the data management portal. They simply ask a question, “Do you have my data?” and Ally responds with all of their options. Example below:

This provides security through two-factor authentication to prevent unauthorized access of their data. This is part of article 25 of GDPR for ensuring individuals data is not easily accessible by others. The applicant then goes to email and clicks the link to verify their identification by answering a few security questions.

This captures all aspects of data management as outlined in GDPR. The applicant can now fully manage their data, get a copy of their data, change their data, understand how their data is being used and who has accessed it. Furthermore, they can opt in or out of any profiling. They can know when their data was collected and when they consented. Since the interaction is conversational, applicants can easily understand and follow up with asking questions about their data. If Ally cannot answer a question, we will log the conversation and have someone on our team directly interact with the person.

Applicants also consent upon first chatting with Ally when their data is collected in the situation where Ally screens applicants before they complete an employment application. Below is an example of this flow:

This is an example of how consent is gained and for the user to opt-in for profiling. Furthermore, we set up authentication for the data.

The applicant clicks on the link and answers 2 security questions for future authentication. Going back to texting, the conversation continues.

Ally then continues the conversation with the applicant until they end the conversation with either an interview or they are disqualified. This example showcases how the NLP chatbot technology provides a simple and easily digestible user experience for Data Protection and their data can be managed from any mobile phone.

Regarding ATS

In the case where applicants have filled out an application in an employers Applicant Tracking System (ATS) and then Ally engages them for further screening and scheduling an interview, the applicant has already consented to provide their information when they filled out their application. Ally is simply picking up the information and processing it. Therefore, setting up authentication is not necessary. Ally picks up their email and phone number from the ATS then reaches out to them. Two-factor authentication can be utilized to manage data as in the first interaction described above, but collecting data can commence without additional consent.

Managing Data for Employers

Employers can login to the AllyO dashboard to manage their data through a convenient UI. They can choose to modify, download, or delete employer specific data and see a log of accesses to their data. Furthermore, they can manage their applicants data directly such as download, modify, or delete. In the context of GDPR, AllyO is a processor and the employer is a controller. The controller has options in how they want applicants data to be managed and stored. The controller can decide if they want AllyO to hold on to the data for further profiling or delete the data after a defined time period or delete immediately upon uploading to the employer. This gives the employer, as the controller of the data, the ability to meet their obligations.

Ally will reach out to the applicant if anyone takes any actions on their data such as delete or modify by sending an email as a notification.

Data Protection

For data protection, AllyO is utilizing the suite of tools available from AWS to ensure data-at-rest and data-in-motion are fully encrypted and access controlled through proper authentication and tiered account access limiting access to only those who really need it. Pseudonymization is utilized to ensure no one can see all of the data easily to better protect privacy. Unauthorized accesses are prevented through two-factor authentication.

As a policy, privacy is important to AllyO. We have built privacy into our design processes such that only the absolute required data is collected in order to perform an intended function and it is not held any longer than necessary. Full transparency and visibility are provided to any applicant or employer.

For data breaches, processes have been established to detect breaches and report within the 72 hour guidelines to the controlling authority.

When certification authorities are available for the HR tech segment, AllyO will complete the standard industry certifications as needed.

Overall, AllyO has applied our NLP platform to solve the GDPR problem in a unique way that captures the spirit of the regulation. We are wholly supportive in efforts to maintain privacy for individuals.

So if you are looking for HR technology in chatbots to meet your privacy needs it is important to ask the following questions:

1. Do you collect personal identifiable information? This is information that can directly identify an individual.
2. If so, how do you achieve consent and provide data management controls? Do you make this convenient and easy for my applicants?
3. How are unauthorized accesses prevented?
4. How does your infrastructure secure the data? Data-at-rest and data-in-motion should be secured.
5. What logs do you collect on the data? All data accesses and data sharing should be logged as to when and by whom.
6. Do you share data with a third party? If so, then the third party should also be GDPR compliant.