As an in-house recruiter, it’s likely you work with a variety of third parties, including your Applicant Tracking System provider.
The GDPR sets out stricter requirements for these third party data processors, so there are several things your ATS provider will need to do to ensure it meets GDPR compliance.
Before we get started: Terminology
In the context of this post, you (the in-house recruiter/employer) are a ‘data controller’ because you control the purposes for which your candidate data is processed. Your ATS provider, meanwhile, is a ‘data processor’, as it processes your candidate data on your behalf.
As the data controller, it is your responsibility to ensure that the third parties you work with, including your ATS provider, are GDPR compliant.
As such, you need to exercise careful due diligence, and ensure your ATS supplier is ready to meet the below points.
Will your ATS provider review your contracts?
Under the GDPR, data controllers and processors must share a binding contract, and the new regulation is much more prescriptive about what needs to be included in it.
Contracts must include more detail about the processing of data, from the subject matter and duration, to the types of personal data processed and purposes behind its use.
It’s likely your ATS provider will need to seek legal guidance in order to properly review their contracts with you and their other clients. So start conversations with them now to understand whether this step is in their GDPR-compliance action plan.
Will your ATS provider assess their security processes?
The GDPR places a greater emphasis on the security of personal data, and has introduced new requirements around notifying and managing data breaches.
As a data controller, you will need to carefully review your organisation’s own data processes. You must ensure your colleagues are educated with regards to potential security risks (such as leaving candidates’ personal data unattended or vulnerable to theft or misuse), and have clear internal procedures around what should be done in the event of a breach.
You should expect your ATS provider to take security equally seriously. Again, this comes down to being diligent on your part. Ensure you clearly understand how your ATS provider protects the data it stores and processes for you. Does your supplier have robust processes in place should they suffer a data breach? And are they clear on your obligations as a data controller and how they can assist you as such?
As the GDPR sets out rigorous notification requirements, you should also ask whether your ATS supplier will provide a way for you to communicate with affected candidates in the event of a data breach, quickly, easily and appropriately.
You can find out more about the notification and breach obligations on the ICO website, which offers official guidance about all elements of the new regulation.
Will your ATS provider explore technology to support you?
Now, this is in incredibly open-ended question, particularly as some areas of GDPR guidance are still to be confirmed. But it is worth starting conversations with your ATS supplier now to understand whether they are considering implementing new functions or features to help you meet GDPR compliance and better manage your candidate communications.
As an ATS provider, we will ensure our customers are able to meet their obligations, potentially through enhanced functionality or new tools.
We’re exploring ideas around reporting capabilities (should a customer be audited or face a candidate complaint around data storage or processing) and are looking at how we can make it as easy as possible for users to amend or erase candidate data when needed.
What should you expect of your ATS provider?
At this stage, you should expect your ATS supplier to be aware of the GDPR, and to be mindful of how it could impact your controller-processor relationship.
They should be open to discussing what their obligations are, and should have some plan in place as to how they will be GDPR compliant – and in a position to support your compliance efforts – by May 2018.
As a diligent and responsible data controller, do start reaching out to your third party providers as soon as you can. From recruitment agencies to psychometric testing vendors, and from video interviewing to payroll providers, all platforms which process and store candidates’ personal data should be thinking very carefully about how to comply with the GDPR.
Find out more
Keep up to date with our GDPR In-house Recruitment Hub
Find out more about Hireserve’s Applicant Tracking System
The six key points of the GDPR you need to prepare for