At a glance:

• Meet the legal bases of ‘legitimate interests’ or ‘consent’
• Create and configure a privacy statement on your careers site
• Custome data retention period
• Anonymise or delete your data
• Automated renewal process
• Flexible solution to meet your organisation’s Data Protection policy and requirements

Establishing a legal basis for processing recruitment data

As you may be aware, the Data Protection Act requires you to process data lawfully, in line with a legal basis. ‘Consent’ or ‘legitimate interests’ are typically the two most relevant bases you can use to justify data processing activities for in-house recruitment purposes, and to be compliant alongside data protection legislation.

Hireserve ATS ensures you have the toolkit you need to comply with this element of the regulation.  You can to create and configure a privacy statement which appears on your careers page and which you can link to from all your application forms. The system also provides a consent mechanism which allows you to present a link to your privacy statement or request consent when candidates apply for a job or register for an account with you.

This means we can support both ‘Consent’ and ‘Legitimate interests’, whichever is your chosen lawful basis for processing candidates’ personal data.

Remember, under Data Protection law, consent must be ‘freely given’, so your candidates must have the option to ‘opt-in’ or not. It must demonstrate an affirmative action too, such as actively ticking a box.

The privacy policy also enables you to meet another data protection principle of the GDPR, which is that of ‘transparency’. You must be clear on how, why, and when you process your candidate and job data. You can include all this information in your privacy statement.

Managing your data retention

Another principle of the EU GDPR and the UK Data Protection Act is that of ‘storage limitation’. Compliance with this rule looks like setting and adhering to data retention periods.

To ensure you can be compliant with this requirement of the law, Hireserve’s Applicant Tracking System enables you to set a custom data retention period. You can then choose whether after this time, a candidate will automatically be anonymised (to preserve your reporting capabilities) or deleted entirely.

You also have the tools to re-engage candidates who are nearing their data retention expiry date with an automated renewal process.

1. Setting your data retention period:  Hireserve ATS allows you to set your custom data retention period in days. Whether that’s six months, a year, or however long you’ve chosen to retain candidate data. The system will then automatically remind you when a candidate’s data retention expiry date is approaching.
   h
2. Automatic Removal:  Of course, if you have a high number of applicants, it would be simply impossible to keep track of every expiry date individually. Depending on your preferences, Hireserve ATS can automatically remove candidates once they’ve expired, either by deleting them or by anonymising them.This will save you time, and help you be more confident that you can demonstrate compliance with the regulation.
   h
3. Automated Renewal:  When an applicant’s expiry date is approaching, you may wish to retain their details in your database. Hireserve ATS’ automated renewal functionality allows you to re-engage candidates who are reaching their data retention expiry date by sending them a new consent question (if you require consent), or by sending them a link to your privacy notice (if you’re using legitimate interest).
   h
   Again, this functionality can help you to balance the need to maintain engagement with your candidates whilst also meeting processing, personal data, information security and all other requirements of data protection law and GDPR compliance.

Please remember

…to always seek guidance from your organisation’s Data Protection Officer, legal team or other qualified and professional data protection authority. This is vital to ensure protection of your candidates’ data, and of you as an employer.

The tools within an Applicant Tracking System are not enough to ensure full GDPR compliance. You also need to ensure that your organisation has clear data protection policies and procedures in place to support and protect your recruitment processes.

From meeting data subjects’ requests (a candidate would be referred to as a ‘data subject’ under the GDPR guidance) to having robust personal data breach procedures, you need to be able to prove that you are aware of the risks that processing personal data carries, and have clear resolution and security controls to protect your candidates’ personal information. 

In addition, as the ‘data controller’, you need to have a clear understanding of how third-parties might process your candidates’ personal data. If you’re using job boards, recruitment agencies or other recruitment partners, for example, you must be confident that they too can meet UK Data Protection guidance. The same would go for an HR software provider, if you are transferring data from your Applicant Tracking System into another system. They must understand the data protection principals of GDPR compliance.

You may also need to have policies in place to make sure you can process non-EU data safely and in-line with information security guidance and other privacy regulations.

Discover more

If you’d like further details on the Data Protection functionality within Hireserve ATS, take a look at our Data Protection and in-house recruitment information, or Contact Us. We’ll be happy to answer any questions you might have.