GDPR Compliance – how does your ATS support you?

thought catalog UK78i6vK3sc unsplash scaled 1 | GDPR Compliance - how does your ATS support you?
By Paula Smith | 21st June 2021 | 8 min read

GDPR Compliance should be at the heart of every recruitment process. The EU GDPR was introduced in May 2018 and was responsible for forcing some employers into a mild panic as they raced to review their recruitment processes and make the necessary adjustments in order to meet the new regulations and improved the rights of candidates.

Now that the UK has left the EU GDPR regulation no longer applies to the UK. However, the core data principles, rights and obligations have now been incorporated into UK Data Protection Law, meaning that employers still have to abide by the key principles. As a result, your ATS should be instrumental in ensuring GDPR compliance throughout the recruitment process.

The new additions to the UK Data Protection Law state that the data you collate as part of your recruitment process must be: 

(a) processed lawfully, fairly and in a transparent manner 

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; 

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; 

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality).”

How does this affect the way you recruit? 

GDPR Compliance starts with understanding the rights of individuals. Candidates are ‘data subjects’ This is because the information they provide as part of your recruitment process means that they can easily be identified. Eg. names, addresses, email addresses, phone numbers, etc 

The GDPR is designed to protect this kind of data and the data subject has rights over how you can process and store this information. 

As an employer, you are considered a ‘data controller’ and therefore responsible for protecting the data you collate and ensuring that it is used appropriately. 

Key GDPR compliance requirements that your ATS should support 

Store Candidate Information and CV’s Lawfully 

As a data controller it is your responsibility not only to ensure that every candidate agrees to how you intend to process and store their details but also to keep a record of when this consent was given as proof should this be required. 

The simplest way to ensure you obtain the necessary consent every time is by introducing a centralised registration portal that requests that every candidate views and agrees to your Privacy Policies and automatically records the time and date they provide consent. 

All applicants must provide consent as they register or apply for a role. Should a candidate send you a CV via email, whilst this is considered as implied consent this is not sufficient consent for you to manually add their details to your recruitment software - or potentially store their details in a designated inbox for future use. 

The fact is that every candidate must agree to your Privacy Policy which includes how you are going to process this data, who has access to it, who you will share it with, where and how it is stored and for how long. 

It can be argued that the act of sending you their CV and contact details forms the necessary consent for you to contact the candidate regarding employment opportunities, however in line with GDPR compliance if you choose to make contact this should purely be done on the basis to direct them to your online registration portal, where you can provide access to your Privacy Policy and gain the necessary record of when the candidate gave consent. 

Limit access to information and functionality 

Printing a copy of a candidate's CV to use as a reference throughout the interview is standard practice across many organisations. However, in line with GDPR,  printing out and creating hard copies of personal information such as applications and CV’s presents a whole host of potential data breach opportunities. 

Whilst we recognise that some companies may require their to ATS to support the ability to print CV’s and applications, HR should also be provided with the ability to restrict access to this functionality and where possible remove the option for users to print to help prevent the risk of a data breach. GDPR compliance is also about ensuring that only the people who need to access data, can do so.

If as an organisation you allow line managers to print CV’s then strict procedures need to be in place to determine how and where the document is stored, who can access it and what you do after it has served its purpose. 

Printed CV’s are treated in the same way as information held online. You must ensure that the information is kept in a secure manner and is only accessed by those who need to see it as part of the application/ selection process.

In case of a data breach, you will need to provide an audit trail. If you have allowed the information to be printed this could include who printed the CV, where it was being held, how many copies had been made and who had access to the information.

Unless they are locked away in a cupboard and signed out by assigned individuals and viewed within an extremely strict environment, it is almost impossible to accurately record the necessary information in terms of who has accessed the document, read the document, taken a copy or shared it etc

And without this information, you may not even be aware that a data breach! 

Allow candidates to manage their own data 

Under the GDPR, individuals have the right to have inaccurate personal data rectified. Although you may have taken steps to ensure that the personal data was accurate when you obtained it it's important to recognise that key information such as names, addresses, contact details, job roles, and qualifications can all change within a short period of time. 

Whilst an individual can request rectifications either verbally or in writing, the process can be easily simplified through the use of a self-service candidate account. 

Giving candidates the opportunity to update their contact details is the absolute least your ATS should allow. Editing their profile, job alert preferences, updating references, withdrawing an application, downloading their data and deleting their account altogether can all be supported through tailored technology.  Whilst GDPR compliance is essentially possible without a centralised platform, managing the process can be extremely cumbersome!

Support the management of your Talent Pool 

For organisations that did not have the necessary consent to store an individual's personal data when the legislation came into effect in May 2018, this meant that talent pools built over many years became redundant overnight. 

The process of manually adding candidate's details from their Linkedin profile or CV database also had to be quickly reconsidered as even though this information is publically available on the internet it does not give you the right to store and process this information in your own talent pool. In fact, as the information can be easily found and accessed at any time means that you have no need to store the information either. 

Again a robust registration process and clear audit trail of candidates manually agreeing to your Privacy Policies is the only way to build a talent pool for your future requirements. 

Your ATS should also support GDPR compliance and the need to automatically remove data as per the terms outlined in your privacy policy. However, retaining as many people as possible within your talent pool should also be a top priority. Automatic communications need to be sent prior to the data being deleted to give candidates the opportunity to review and update their data and continue to receive job alerts etc. 

Remember, If a large proportion of your data has not been updated in the last 6 months, then essentially contacting these people would provide very little value anyway. Not only will they have added to their work experience but key elements such as address and contact details may have changed too. 

You now not only need them to consent for you to keep their data but need them to update it as well! 

Help process SARS requests 

As a direct result of the new GDPR legislation, individuals became more aware of their rights when it came to storing and processing their data.

One of the rights was the ability to ask an organisation to provide a report on all the information they held about them, known as a Subject Access Request or SARS. 

Organisations have a duty to respond to all requests and provide the information within one calendar month of the request being received unless the request is considered excessive when longer timescales can be agreed. 

Many organisations, however, fail to recognise that when a candidate requests a copy of their personal data, this also includes information such as application form answers,  interview notes (including handwritten!), test scores, background check results and decline notes, etc 

Putting the nightmare management of handwritten interview notes aside, collating this information and providing it in an eligible format for the individual to view without technology can be a very time-consuming exercise. 

However, it is not just about creating a huge data dump but the ability to redact certain information too. Due to the nature of the information, there may be a need to redact any notes which relate to any other data subject and save a copy of the amended version. 

One of the key principles outlined in GDPR compliance is the need to provide candidates with a clear outline of how their information will be used, how it will be stored, who has access to it, and who the information will be shared with. 

This needs to be clearly stated in your privacy policies and adhered to. 

Does your ATS help you manage recruitment in line with the GDPR? Or are you at risk of a data breach or potential fine? 

Find out more about our IRIS networx ATS today.