SmartRecruiters Blog

GDPR: Does Your ATS Vendor Have You Covered?

We are mere days away from the European Union’s game-changing data privacy legislation. If you’re in Talent Acquisition, your first question is whether your ATS is a strength or a liability.

For citizens of the European Union, the General Data Protection Legislation (GDPR) will protect and enforce how their private data is used and stored online, anywhere in the world. In the wake of the Cambridge Analytica/Facebook scandal and growing malaise about online organizations monetizing user profiles, new rules from Brussels are, for once, largely welcome by netizens.

For companies that do business with the EU, or employ even one EU citizen of 500 million, becoming GDPR-compliant before May 25th has been everything from a mild headache, a few extra legal bills, to a complete overhaul of how customer/employee data is stored.

Whether in Europe or elsewhere, you may have noticed several changes to your favorite sites and platforms’ Terms and Conditions recently. Not that you went and checked. Everyone from Facebook to Twitter to LinkedIn has been emailing, and with various shades of marketing-speak, asking you politely and humbly to update your service agreements. And GDPR is the reason.

Talent Acquisition leaders, has your Applicant Tracking System done the same? If not, you could be in trouble. And with maximum penalties for non-compliance set at 4% of last year’s annual gross, or €20 million, whichever is higher, those who’ve ostriched themselves from the hassle could potentially face bankruptcy.

A whopping 70% of those surveyed said they weren’t ready for GDPR, and a lacking, lagging ATS is as big a part of the problem as human indifference.

HR and Recruiting are the great crossroads of GDPR. Our business is based on collecting and analyzing personal data, so we have to be extra-vigilant. Now that GDPR is real, SmartRecruiters (in GDPR terms, the Data Processor) wanted to see if everyone, or anyone, in the field had put in the same amount of work we have into being GDPR compliant. We surveyed a group of 30 TA professionals who use various ATS vendors, to see how clear they were on GDPR compliance and where they may have missed some details. The results were, well, not great.

But don’t freak out just yet. Let’s start with the basics. GDPR requires TA departments (the Data Controller) to store information on candidates (Data Subjects) with their consent. This could be a fix as easy as adding a second T&C button that gives you permission to store their data, which, by them wanting to send you their CV in the first place should be fine. GDPR just means you have to have their clear and unambiguous consent, and if they ever ask you to delete their data, you have to be able to prove you have. Easy enough, but 32% of respondents didn’t know if their ATS was capable of that, over 50% didn’t if, when, or how a candidate’s consent was obtained or stored. Ten percent were certain their ATS did none of this. Yikes. This is compliance 101, people. And given the reams of often ambiguous clauses in the regulation, relatively easy to patch.

If you’ve got your candidate-facing front-end covered, it’s time to look at who exactly has access to the data you store. Our respondents scored a little better here, with 90% of them aware of access limits to the data stored on their ATS. However, 20% said they kept no log of who in their organization had access to the personal data at what time, and that’s a GDPR no-no.

While 72% of surveyed confirmed their ATS kept logs of interview feedback and recruiting notes throughout the hiring process – if not satisfying the GDPR demand for “transparency”, at least proof of operating on good faith, which the more overarching of regulations value highly. They know better than anyone how hard full compliance will be. The big problem here is that 61% said they didn’t know whether the same data sets were transferred to third party vendors, like payroll or onboarding applications. That’s a problem. It’s precisely this kind of hole that regulators will consider a data breach – and under GDPR, reporting a data breach is mandatory.

If you’re wondering about the compliance capability of your ATS, ask yourself whether your ATS allows you to

  • Set access authorization policies to limit access to candidate data?
  • Support limited access rights for Works councils?*
  • Log changes in access rights?
  • Limit cross-border data transfers, e. g. between the US and Germany?
  • Provide a process to map data transfers?

In regards to candidate data processing, does your ATS

  • Keep a record of processing activities in place?
  • Destroy, erase or anonymize candidate data when no longer legally required?
  • Comply with regional data retention limits or specific legislation, if there should be any? Let candidates exercise the right to update their data by themselves?
  • Fulfill right to be forgotten (RTBF) requests?
  • Analyze all of the personal data you store and process to improve data governance? Map all processing activities in order to identify all processors incl. third parties (in EU and in third-party countries)?

For data security, can your ATS provide

  • A written Data Processing Agreement (DPA)? Incident management policies?
  • A data recovery policy?
  • Secure data backups?
  • Notifications to inform you and your candidates of data breaches?
  • A Data Protection Officer registered within the EU to oversee security-related issues?

If your palms are starting to sweat a bit, your ATS provider should, legally, have all the answers you seek, and if they don’t, well, don’t fall prey to the sunk-cost fallacy. Get out asap and sign on with an ATS vendor that knows what they’re doing.

We’re pretty sure we can recommend someone to help you with that.

Write to us at SmartRecruiters for your free GDPR-compliance assessment.

*A Works council is a body of employees elected to represent their fellow employees. Works councils exist in many European countries, including United Kingdom, Germany, Austria, the Netherlands, France and Spain.


Peter Braun