UK 
United States
It’s likely your Applicant Tracking System (ATS) lies at the heart of your recruitment processes - but are you confident that it will be fit for purpose to meet your GDPR requirements in May 2018?
If you’re not sure yet, here are the five questions you need to ask your ATS provider…
1. Will your ATS provider review your contract?
Under the GDPR, data controllers and processors must share a binding contract. The upcoming regulation sets out a lot of new information that needs to be included in this.
Your contract will have to include more detail about the processing of data, such as the subject matter, the duration of processing and the purposes behind its use.
Start conversations with your ATS provider now to understand whether this step is in their GDPR-compliance action plan.
2. Will they assess their security processes?
As a diligent data controller, you need to be confident in your ATS provider’s cyber security and data protection measures.
Ensure you clearly understand how your ATS provider protects the data it processes on your behalf.
The GDPR sets out rigorous data breach notification requirements, so you should ask whether your supplier has robust procedures in place should they suffer a breach.
3. Will their ATS help you to manage candidate requests?
One area your ATS provider may need to consider is your candidates’ rights. Under the GDPR, candidates have enhanced rights, including the right to request that their data is erased and updated.
Talk to your ATS provider about whether they are going to implement new features to help you address candidate requests like these. You should be able to update or erase candidate records simply and easily, and may also need a way to record those changes should you ever be audited.
Find out more about candidate rights under the GDPR.
4. Can candidates self-serve with their ATS?
As individuals have the right to request access and make changes to their personal data, consider asking your ATS provider whether they can offer a self-service portal so candidates can log in and update their own information.
This can reduce administration for you whilst ensuring your candidates feel confident in the accuracy and relevancy of their data.
5. How else will their technology help you meet your GDPR requirements?
Under the GDPR, you will need to identify an appropriate legal basis for processing your candidates’ data. The GDPR sets out six to choose from, and it’s likely that ‘legitimate interest’ or ‘consent’ will be most appropriate for recruitment processes (do ensure you discuss this with your legal team or GDPR advisor).
It’s important that you can prove that you have fairly and lawfully collected your candidate data, so ask your provider how they will help you to record your legal basis in your ATS should you be audited or receive a candidate request for information.
Working with your ATS provider
At this stage, you should expect your ATS supplier to be open to discussing what their responsibilities are under the GDPR, and they should have a plan in place as to how they will support your compliance efforts by May 2018.
Looking for more? Download your comprehensive In-house Recruiter’s Guide to the GDPR. Full of checklists, helpful guidance and created with international law firm Osborne Clarke LLP.
Disclaimer: The information in this blog post concerning technical legal or professional subject matter is for guidance only, and does not constitute legal or professional advice. Always consult a suitably qualified lawyer on any specific legal problem or matter.
About Hireserve
Established in 1997 and trusted by organisations across the globe, Hireserve is an ATS provider. We’re committed to helping recruitment teams prepare for the GDPR and ensuring our customers have the technology and support they need to meet their requirements.
