To meet your requirements as a data controller under the GDPR, you will need to review and potentially change the way you collect, store and process candidate data.

 You may find it is difficult to make these changes and put in place sustainable and secure new processes without an Applicant Tracking System.

1. Managing candidate rights

Under the GDPR, your candidates have widened rights and, as a result, data controllers have new responsibilities.

For example, when the GDPR comes into force, you will need to respond to candidate requests within one month. You may also need to be able to prove when or how you have actioned a request (such as updating or erasing a candidate’s information).

An ATS is an invaluable tool to help you manage these processes.

Transparency is a key principle of the GDPR. With an ATS you can build an audit trail of when candidate requests have been met, and have a clear history of all communications. This may prove invaluable should a candidate raise an issue or query with your team, or should you ever be audited.

2. Setting retention periods

‘Storage limitation’ is another core principle of the GDPR. This doesn’t mean that you can’t build talent pools, but there are steps you will need to take in order to meet your responsibilities and ensure you don’t retain your candidates’ data for longer than is necessary

You and your team should undertake a data retention assessment and determine a reasonable period for storing your candidates’ personal data. This retention period needs to balance their rights and the benefit to your organisation.

You will need an ATS to ensure that you are meeting your data retention responsibilities.

If you are currently holding candidates within an Excel spreadsheet, for example, you may risk overlooking the data retention period and not realising when a candidate’s personal data needs to be erased or archived.

With an ATS, you should be able to automate this process. You should receive an alert when a candidate is approaching their data retention limit and needs to be contacted, have their data archived (if appropriate) or be completely removed from your database.

This removes the opportunity for human error you may find with manual methods. It also significantly reduces administration and, again, ensures you have a clear record of when candidates have been erased.

Discover what GDPR functionality Hireserve ATS will deliver to users.

3. Reporting and auditing

We’ve touched on this in the last two points. As the principles of transparency and accountability play a key role in the new legislation, you need a tool which can securely and accurately record your interactions with candidates and when, how and why you process their personal data.

Should you ever be audited or receive a candidate complaint, you need to be able to access the associated data quickly and simply.

If you are using manual methods, like the trusty Excel spreadsheet, you may find yourself struggling to pull together dates, actions and responsibilities without confidence in the accuracy, relevancy or security of the data.

4. Security

With inaccuracies, human error, the potential for deletion or file loss and the risk of unauthorised people accessing information, you may be leaving yourself open to a significant data breach if you use a spreadsheet or other manual methods.

With the right ATS, you should be confident in where and how your data is hosted.

The system should be protected by stringent security processes and technology, and your provider should be able to talk you through what measures are in place to ensure data security.

Under the GDPR data controllers face new requirements in terms of reporting and handling data breaches (turn to page 11 of your GDPR guide), and it is essential that you have the right technology partner to support you during issues and to mitigate potential risks.

You need an ATS… so what do you do next?

 As a first step, it’s imperative you start conversations with and pick the brains of suppliers.

There are a lot of systems out there, so start by choosing a few potential suppliers who seem to know their stuff about GDPR and are aware of the impact it will have on your work.

Remember too that implementing a new ATS will bring many benefits unrelated to the GDPR, so focus on the other areas where you’re trying to improve process, reduce cost or decrease administration.

The best thing is to start researching, talking and understanding how an ATS can improve your hiring activity for you, your colleagues, your organisation and your candidates.


Find out more

How will the GDPR impact your talent pools?

The first steps in your GDPR action plan

Do you need a GDPR jargon-buster?

Disclaimer: The information in this blog post concerning technical legal or professional subject matter is for guidance only, and does not constitute legal or professional advice. Always consult a suitably qualified lawyer on any specific legal problem or matter.

About the author

Tristan Potter

Tristan has a decade's worth of experience writing content and copy for organisations across Bristol and the Southwest of England. He has written on a diverse range of topics, including technology, philosophy, politics, and recruitment. His writing has appeared in The Drum, HR Grapevine, and The Guardian, among other publications. He joined Hireserve in March 2022.