GDPR is here, the great news is that as a Herefish customer, once you have your strategy in place, compliance can be almost completely automated. This article is focused on common ways that firms are putting their GDPR strategy into practice using Herefish. 

This is NOT legal advice and it is also not anything close to a complete description of the regulation or how to build a strategy. There are many firms and resources for that, please let us know if you need help developing your complete strategy and we can introduce you to the pros!

To be honest, like all things GDPR, the setup of GDPR automation can be a bit complex. We are happy to work through it with you, but this article covers a common approach for automating many of the key steps. Like most other things in Herefish, it consists of some new automations and new lists linked to those automations. 

We suggest 4 different automations:

  • Gather Consent - once someone reaches a certain age, you'll request their consent to store their data.

  • Inform - Inform a contact that you've got their data, share policy and gather consent (where applicable).

  • Consent given - Update ATS to track time and date of consent

  • Consent revoked - Update ATS to opt-out the contact and/or forget the contact


Gather consent
This is generally done across 2 - 3 emails, with a week or so between. In each email, we recommend alerting the contact that they will no longer receive opportunities from you. The last step will be a wait period (we suggest around 2-3 weeks) to allow them time to click the link before assuming that consent was not given.

A common point of view is to frame the message around you wanting to help them improve their career and being given their consent allows you to do that. 

Often this is a very simple or plain text message with a large YES button and link to your data policy. Herefish will track them clicking the YES button or visiting the YES page on your website (explained in a later step). 

When a new contact is added to the system this automation will ensure they are informed that you've got their data and allow them to provide you with consent. Similar to the campaign above, you'd likely have a simple button with a YES and link to your data policy. 

Consent given
Depending on your Recruitment CRM and process, Herefish can update the appropriate fields based on the candidate/contact record. 

This will be done by tracking a user's click on the button in your email or visiting the page on your site. These people will be identified in the list outlined below.

Consent revoked
Similar to "consent given," depending on your Recruitment CRM and process, Herefish can update the appropriate fields based on the candidate/contact record. 

This is often done by lack of an action and time passing. These people will be identified in the list outlined below.


Gather consent
This list will be created in your Recruitment CRM. You will likely want to find a list of people between X and Y years ago. You'll want people to continue to automatically be added as soon as they reach a certain age, so we'll set it to be dynamic. 

For our example, we'll say we want to attempt to get consent for everyone who doesn't have a note in the last 2 - 5 years ago and doesn't have a status of "Do Not Use."

To run this search, you'll save a search with the following criteria 

  • status does not equal do not recruit (and any other info to remove contacts you don't want to gather consent for)

  • last note after 5 years ago - This will likely actually be a set date in your database

Once you've got that search saved, you'll go into Herefish and the additional dynamic date filter:

Last note before 730 days ago

That will now only import people with a note in the last 2 - 5 years. 

This is a list is a similar concept to the one above, but it will likely be based on date entered. You may also want to include the source of the candidate, as permissions/messaging may differ depending on where you found them.

Consent given
Here you'll create a "dynamic list" in Herefish. You will build it based on if they clicked on the link or visited the thank you page after consent is given. We generally suggest doing both, in case consent was procured from a source other than email, allowing us to automate it in either case.

Your search will likely look similar to the image below:

Consent not given
This will also be a dynamic list in Herefish. You'll add them to this list once they've completed the automation requesting their consent and only if they did not click on one of the consent links.


Surveys are the most powerful way to automate your GDPR process, as they allow you to give your Contacts a choice as to what they would like to give consent for, and will update your Bullhorn Consent Module accordingly allowing your GDPR to be consistent across platforms.

A basic example of a GDPR can be seen below, specifically asking Contacts to differentiate consent for legitimate recruiting practices, versus Newsletters or Email Marketing.

Hi can fill out these questions? 

Tying everything together

You'll now add each of the lists to their associated campaign. You'll also add the "consent given" list as a suppression list to the "Gather Consent," campaign, so you'll automatically stop sending requests for consent, once it is given.

Did this answer your question?