AllyO and GDPR: Addressing Privacy for AI Recruiting Platform
By Nick Possley, Head of Data Products and Engineering
AllyO, a leader in HR technology, addresses privacy requirements in GDPR. Employers in the EU can plan to utilize AllyO AI recruiting platform to automate their recruitment workflows without the worry of GDPR compliance.
GDPR Background
GDPR stands for General Data Protection Rights. It is a new EU law designed to protect individuals data from being misused and invading their privacy. It is effective May 25th, 2018. Here’s a link to the GDPR page for more background:
EU GDPR Information Portal
In addition, here’s another link that breaks down the law into simple terms article by article:
https://blog.varonis.com/gdpr-requirements-list-in-plain-english/
The law applies to companies who specifically target EU citizens with their products, services and marketing and requires the following:
- Consent: Before collecting data, users must give consent. Consent must be explicit, simple and clear in what data will be collected, how the data will be used, how long it will retained, who to contact to manage it, who will access it, how it will be protected, etc.
- Opt in / out: In addition to consent, the user must be able to opt in or out of different services tied to their data. For instance, they can choose to opt in for profiling as it may give them better targeted ads for product they care about and they have agreed to it.
- Data Management: User must be able to delete, update, modify, opt-in or opt-out of services, download their data in a machine readable format, and/or access a log of all data accesses that includes when and who, at any time.
- Secure Infrastructure: At a minimum, data-at-rest (data stored in a database) must be encrypted and protected from unauthorized access. Data-in-motion should also be encrypted and protected. Furthermore, data stored should be pseudonymized to ensure that personal identifying information is not easily accessible in one place.
- Privacy Centric Processes: Only collect the data you need to perform a given service. Do not collect more than what is necessary and only hold on to data as long as you need to provide a given service.
- Breach Detection and Notification: Infrastructure must be added in order to detect data breaches and notifications sent within 72 hours once a breach is detected.
One additional consideration is the role a company plays in utilizing the data. There is a controller and a processor. A controller decides what data needs to be collected and how it needs to be processed. A processor processes the data as defined by the controller.
Penalties for non-compliance are quite high. A minimum of €20M or 4% of turnover, whichever is more.
While privacy is important to protect for customers and individuals, it will take time, effort and investment to support all of these capabilities. In the meantime, it can be unclear, when GDPR is applicable and when it is not. According to Article 3 (https://gdpr-info.eu/art-3-gdpr/), this regulation applies when goods or services are specifically targeted to EU citizens or EU citizens are specifically monitored / profiled no matter where the company resides. If a North American company offers goods or services in the EU for EU citizens, then they fall under GDPR. Conversely, if a North American company offers goods and services to North American citizens, it does not fall under GDPR even if an EU citizen decides to login into the North American website. Here’s a link with a nice analysis of this problem: https://iapp.org/news/a/what-does-territorial-scope-mean-under-the-gdpr/
Certifications are another area that is gray, but will likely become required as liabilities are quite high for non-compliance. There are certification bodies that are starting to emerge such as http://www.eugdpr.institute/obtaining-a-eugdpr-institutes-gdpr-certification/.
AllyO’s take on GDPR
From AllyO’s standpoint, our NLP technology is a great fit for ensuring privacy controls as users can always interrupt the flow at any time to change something, they can ask in their own way, and then resume their conversation. They don’t have to find cryptic links on websites or sift through a long webpage to find the data management portal. They simply ask a question, “Do you have my data?” and Ally responds with all of their options. Example below:
| Applicant: Do you have my data? | |
Ally: Hi, This is Ally. Thank you for reaching out regarding your data. Privacy is very important to me and I want to make sure you feel comfortable that your data is well protected. Here is a link to our Data Policy and Terms of Service: link I can send an email to authenticate access or ask you security questions, whichever you prefer. | |
| Applicant: I prefer email | |
| Ally: I have sent you an email in order to authenticate access. Once you click the link in the email and answer the questions, I will be happy to help you with your data. |
This provides security through two-factor authentication to prevent unauthorized access of their data. This is part of article 25 of GDPR for ensuring individuals data is not easily accessible by others. The applicant then goes to email and clicks the link to verify their identification by answering a few security questions.
Ally: Thank you for confirming your identity. I have the following information: Name, Phone Number, email, job selections, answers to screening questions. You consented for your data to be collected and utilized for employment application reasons on this date: 1/1/1 We have shared your data with the following employer: TBD, Inc. on the following dates: 1/1/1. Click this link to download a log of accesses to your data: Link We are utilizing your data to profile applicants for the employer, TBD, Inc. You consented to profiling on this date: 1/1/1. We will keep your data as long as the employer is a customer. You have the following options on your data: Delete, Download, Modify, Opt Out of Profiling, or No Change. What would you like to do? | |
This captures all aspects of data management as outlined in GDPR. The applicant can now fully manage their data, get a copy of their data, change their data, understand how their data is being used and who has accessed it. Furthermore, they can opt in or out of any profiling. They can know when their data was collected and when they consented. Since the interaction is conversational, applicants can easily understand and follow up with asking questions about their data. If Ally cannot answer a question, we will log the conversation and have someone on our team directly interact with the person.
Applicants also consent upon first chatting with Ally when their data is collected in the situation where Ally screens applicants before they complete an employment application. Below is an example of this flow:
| Applicant: Hello | ||
| Ally: Hi this is Ally, your personal recruiter for XYZ, Inc. We are really excited that you are interested in considering positions for XYZ, inc. To get the process started, we have to collect some personal information and authenticate your access. All information you provide will be utilized to determine your employment fit. Here is a link to our Data Policy and Terms of Service. Is this something you would like to continue? | ||
| Applicant: Yes *Applicant consents to have their information collected | ||
| Ally: Furthermore, your information will be used to help optimize our hiring decisions and provide better job choices for you. Do you agree to have your information utilized in this way? | ||
| Applicant: Yes *Applicant opts in to profiling | ||
| Ally: Great! What is your name and email? | ||
| Applicant: John Seneca, jsen@tbd.abc | ||
| Ally: Thank you for providing your information. Privacy is very important to me, so we need to go through an authentication process to secure your data. I have sent an email to your email address to confirm. Once you click on the link and answer a few security questions, we can resume our conversation. |
This is an example of how consent is gained and for the user to opt-in for profiling. Furthermore, we set up authentication for the data.
The applicant clicks on the link and answers 2 security questions for future authentication. Going back to texting, the conversation continues.
Ally: Thank you for completing the authentication process. I’m excited to move forward in the process for employment at XYZ, Inc. I will keep your data for X years. Anytime you want to access or manage your data you can text me at 000-000-0000 or contact me on this link. Only recruiters and hiring managers at XYZ, Inc. will have access to your data. Now to locate jobs in your area, please enter your zip code. *Users are fully notified of how long their data will be kept, who to contact to manage their data and who will be accessing their data. | |
Ally then continues the conversation with the applicant until they end the conversation with either an interview or they are disqualified. This example showcases how the NLP chatbot technology provides a simple and easily digestible user experience for Data Protection and their data can be managed from any mobile phone.
Regarding ATS
In the case where applicants have filled out an application in an employers Applicant Tracking System (ATS) and then Ally engages them for further screening and scheduling an interview, the applicant has already consented to provide their information when they filled out their application. Ally is simply picking up the information and processing it. Therefore, setting up authentication is not necessary. Ally picks up their email and phone number from the ATS then reaches out to them. Two-factor authentication can be utilized to manage data as in the first interaction described above, but collecting data can commence without additional consent.
Managing Data for Employers
Employers can login to the AllyO dashboard to manage their data through a convenient UI. They can choose to modify, download, or delete employer specific data and see a log of accesses to their data. Furthermore, they can manage their applicants data directly such as download, modify, or delete. In the context of GDPR, AllyO is a processor and the employer is a controller. The controller has options in how they want applicants data to be managed and stored. The controller can decide if they want AllyO to hold on to the data for further profiling or delete the data after a defined time period or delete immediately upon uploading to the employer. This gives the employer, as the controller of the data, the ability to meet their obligations.
Ally will reach out to the applicant if anyone takes any actions on their data such as delete or modify by sending an email as a notification.
Data Protection
For data protection, AllyO is utilizing the suite of tools available from AWS to ensure data-at-rest and data-in-motion are fully encrypted and access controlled through proper authentication and tiered account access limiting access to only those who really need it. Pseudonymization is utilized to ensure no one can see all of the data easily to better protect privacy. Unauthorized accesses are prevented through two-factor authentication.
As a policy, privacy is important to AllyO. We have built privacy into our design processes such that only the absolute required data is collected in order to perform an intended function and it is not held any longer than necessary. Full transparency and visibility are provided to any applicant or employer.
For data breaches, processes have been established to detect breaches and report within the 72 hour guidelines to the controlling authority.
When certification authorities are available for the HR tech segment, AllyO will complete the standard industry certifications as needed.
Overall, AllyO has applied our NLP platform to solve the GDPR problem in a unique way that captures the spirit of the regulation. We are wholly supportive in efforts to maintain privacy for individuals.
So if you are looking for HR technology in chatbots to meet your privacy needs it is important to ask the following questions:
- Do you collect personal identifiable information? This is information that can directly identify an individual.
- If so, how do you achieve consent and provide data management controls? Do you make this convenient and easy for my applicants?
- How are unauthorized accesses prevented?
- How does your infrastructure secure the data? Data-at-rest and data-in-motion should be secured.
- What logs do you collect on the data? All data accesses and data sharing should be logged as to when and by whom.
- Do you share data with a third party? If so, then the third party should also be GDPR compliant.
SUBSCRIBE TO ALLYO BLOG
Stay up-to-date with the latest insights and trends from AI recruiting brought to you by AllyO Blog!
