GDPR: 5 questions for your ATS provider

When you’re preparing for the GDPR, it is essential that you are working with supportive and knowledgeable technology partners.

Under the GDPR, your ATS provider will have new obligations. If you’re not sure how to begin conversations with your recruitment technology suppliers, here are 5 questions to get you started…

1. Will your ATS provider review your contract?

Under the General Data Protection Regulation , data controllers and processors must share a binding contract. The GDPR sets out a new information that needs to be included in this.

Your ATS supplier is your data processor, and will have new responsibilities under the GDPR which need to be reflected in your contract with one another. You are the data controller.

Data processors, controllers, data subjects – sound like too much jargon? Take a look at our GDPR: Key Terms for In-house Recruiters infographic.

Your contract will have to include more detail about the processing of data, such as the subject matter, the duration of processing and the purposes behind its use.

Start conversations with your ATS provider now to understand whether this step is in their GDPR-compliance action plan.

2. Will they assess their security processes?

As a diligent data controller, you need to be confident in your ATS provider’s cyber security and data protection measures.

Ensure you clearly understand how your ATS provider protects the data it processes on your behalf.

The GDPR sets out rigorous data breach notification requirements, so you should ask whether your supplier has robust procedures in place should they suffer a breach.

3. Will their ATS help you to manage candidate requests?

Under the GDPR, candidates have enhanced rights, including the right to request that their data is erased and updated.

Talk to your ATS provider about whether they are going to implement new features to help you address candidate requests like these. You should be able to update or erase candidate records simply and easily, and may also need a way to record those changes should you ever be audited.

Learn more about candidate rights under the GDPR.

4. Can candidates self-serve with their ATS?

As individuals have the right to request access and make changes to their personal data, consider asking your ATS provider whether they can offer a self-service portal so candidates can log in and update their own information.

This can reduce administration for you whilst ensuring your candidates feel confident about the accuracy and relevancy of their data.

5. How else will their technology help you meet your GDPR requirements?

Under the GDPR, you will need to identify an appropriate legal basis for processing your candidates’ data. The GDPR sets out six to choose from.

It’s likely that ‘legitimate interest’ or ‘consent’ will be most appropriate for recruitment processes (as with all points in this post, do ensure you discuss this with your legal team or GDPR advisor).

It’s important that you can prove that you have fairly and lawfully collected your candidate data. As such, ask your provider how they will help you to record your legal basis in your ATS should you be audited or receive a candidate request for information.

Working with your ATS provider

At this stage, you should expect your ATS supplier to be open to discussing what their responsibilities are under the GDPR, and they should have a robust plan in place as to how they will support your compliance efforts by May 2018.

This post was first published in HR Grapevine in December 2017.

Disclaimer: The information in this blog post concerning technical legal or professional subject matter is for guidance only, and does not constitute legal or professional advice. Always consult a suitably qualified lawyer on any specific legal problem or matter.