Zoho Recruit's consent management settings helps you get consent from your data subjects by providing a system where you can customize the consent form, include it in your email templates, set consent related preferences, and most importantly, get assistance in keeping track of consent details.

Understanding Consent Management in Zoho Recruit

Best Practices for Consent Management

• Inform the data subjects on the purpose of consent and data processing.
  
• If you deviate from the original purpose of data processing for which you received consent, then you will need to get consent from the data subjects again.
  
• Make sure to keep your consent requests separate from any other terms and conditions.
  
• The consent request or form should contain details about who is collecting the consent (data controller), where the data is processed (data processor), and where the data is being shared.
  
• Maintain a proper record of the consent collected. This is important to demonstrate that the data subject has given proper consent to process data.
  
• Avoid usage of technical terms and legal jargons while getting consent. Keep your message clear and simple.
  
• Make a point of refreshing consent at regular intervals.
  
  

The Lawful Bases

The fundamental principle for handling personal data is that data must be processed lawfully and in a transparent manner. GDPR defines six lawful bases to process data. It is important to understand all of them as no one lawful basis is better than the others. Choosing the most appropriate basis depends on the purpose of data processing and your business requirements.

• Consent - When you have consent from the data subject to process their personal data. There must be a deliberate action on the part of the data subject to opt-in or give consent.
  Example: Collecting and processing personal data for marketing purposes or sending newsletters.
   
• Contract - When you have a contract with an individual to supply goods or services requested by them. In this case, you process data to fulfill the contract.
  Example: During a contract, when the customer asks for more information via email, the organization processes their personal data to respond to the request.
   
• Legal Obligation - When you have to process the data to comply with the law.
  Example: An employee's salary details are needed by a government institution or an investigation requires the processing of the personal data.
   
• Vital Interests - When you need to process data to protect someone's life or in an emergency.
  Example: Collecting personal details of the people to ensure their safety during an emergency or a fire.
   
• Public Tasks - When you need to carry out tasks in the public interest, usually as a government institution, political party, etc.
  Example: As a public authority who processes data for scientific research, surveys, or public health studies.
   
• Legitimate Interests - When your organization holds a genuine, legitimate reason to process data and the purpose does not harm the data subject's rights.
  Example: A customer has not paid their invoice and so the company needs to process the customer's data to collect payment. Alternatively, for administrative purposes, when an organization processes an employees' personal data for payroll.
  
  

Stages in Consent Management

There are three stages that you can track in Zoho Recruit with respect to consent as the lawful basis for processing data. Please note that primary email field is used to update the consent status in all the similar records that have the same email address as the primary one in your Zoho Recruit account. For example, you get consent from a candidate, and when you convert the candidate to a contact, the created contact will be updated with the consent status. If the primary email address is changed, you will need to get consent again.

• Pending - When the request for consent is not sent to the data subjects.
  
• Waiting - When the consent form has been sent and you are waiting for a reply.
  
• Obtained - When you have received consent from the data subject.
  
• Not Responded - When you have not received consent from the data subject within the waiting period defined in the Consent Settings.
  
  

Set Up Consent Form

The consent form can be customized and it allows controllers to state the explicit details for which they are obtaining consent. The following can be added in the form: 

• The purpose of data collection.
  
• Preferred communication channel.
  
  

To set up the consent form

1. Click Setup > Compliance > GDPR.
   
2. In the GDPR page, enable the option using the button.
   
3. Select the Language that you want your data subjects to view the form in.
   
4. Under the Consent Portal, do the following to customize the form:
   • Add relevant text to state the purpose of using their personal data and why you are getting consent.
     
   • For the Communication Preferences, add a short description. For example: Allow us to contact you through:
     
   • Click the Show/Hide links for the corresponding options (Email, Phone) to make them visible/hidden in the form.
     
   • Based on the selection, the option to send emails or make calls will be disabled for the corresponding records.
     
   • For Consent Statement, add a message that asks the data subjects to provide remarks, if any.
     
   • Add your Privacy Statement in the text box.
     
   • Specify any additional text before the Submit button in the form.
     
5. Click Preview to check the form, then click Save.
   
   

Getting Consent from Candidates

1. Open a data subject's record in your Zoho Recruit account.
   The record could be in the Candidates or Contacts for which GDPR Compliance is enabled.
   
2. Click Data Privacy.
   
3. Mark the Data Processing Basis as Applicable and select Consent from the drop-down list.
   
4. Under the Pending status, click the Send consent form link.
   
5. The Send Email page opens from where you can request for the consent. Attach files if there are any and click Send.
   
6. Once sent, the status will change from Pending to Waiting. 
   
   

You can even update the status manually. 

1. Under the Pending or Waiting status, click the Update consent details link.
   
2. In the Update Consent Details popup, do the following:
   
   • Select Email or Call, to maintain a record of how you received the consent.
     
   • In the Consent Date field, specify the date when you got the consent.
     
   • Add Consent Remarks, if any.
     
   • Select from the list of Communication Preferences mentioned by the data subject.
     
   • Click Save.
     
3. The status will change to Obtained.