GDPR, the way procurement actually asks for it

Generate a complete subject access export in JSON or as a per-table CSV ZIP. The export covers staff records, profile responses, skills, audit log entries, AI usage events, applicant records, and previous privacy requests. Decryption uses the tenant key.

Identity gate: exports require a verified privacy request. Verification is by email confirmation or recorded ID check, not just an admin clicking a button.

Corrections are recorded in a separate, append-only rectification log. The original value, the corrected value, who requested it, and who actioned it are all captured.

Why append-only: so a subject can prove their record was wrong, not just that it is right now.

Erasure cascades. When you erase a subject, every linked record across staff profiles, applicant submissions, AI conversation transcripts, notes, tags, and skills is removed or pseudonymised in a single operation, with a full audit trail of what happened.

What survives: only the audit log, with the subject's name replaced by "[erased]". You can prove the right was honoured without keeping the data.

Applicants are told upfront that AI helps with skill extraction and compatibility scoring. Every score includes a breakdown of what was matched and what was not. Any applicant or admin can request human review of an AI decision.

Why it matters: Article 22 says people have the right not to be subject to a decision based solely on automated processing. Human review keeps you the right side of that line.

Per-category consent, with history

Consent is not one switch. SkillDrill captures and stores it per category: essential, marketing, analytics, AI training. Each user sees what they have agreed to and what they can change, and every change is recorded with a timestamp so you can prove what was true on a given date.

Withdrawal works: when a category is withdrawn, processing stops for that purpose immediately. There is no flag-and-forget.

Automated retention

Scheduled jobs run on cron without human intervention. Old data is aged off according to your tenant policy, applicant records are deleted once they pass their configured retention window, and outstanding privacy requests are chased before the 30-day deadline.

You set the windows: per-tenant retention is configurable. The defaults are conservative.

Children's data, UK AADC aware

The application flow includes an age gate before any AI conversation starts, and the apply experience adapts under the UK Age Appropriate Design Code. AI disclosure language and consent capture are tuned to age, not just to jurisdiction.

Why this matters: the AADC applies to any service likely to be accessed by children in the UK. If you let people under 18 apply, this is your problem too.

Incident log and 72-hour notice

If something goes wrong, the incident log captures what happened, who was affected, what data categories were involved, and the timeline. A regulator-notice email template is ready to go so the 72-hour notification under Article 33 is a fill-in, not a scramble.

What we do for you: we will notify you of any incident affecting your tenant within 24 hours, with the technical detail your DPO needs.