How to assess an ATS provider: Data Protection
Handling personal data comes as part and parcel of an in-house recruiter’s job.
So if you’re selecting a new ATS provider, you need to know how to assess their approach to Data Protection.
Ask: Are they clear on their Data Processor responsibilities?
A data processor is ‘any person (other than an employee of the data controller) who processes the data on behalf of the data controller’.
Your organisation would take the role of Data Controller – ultimately responsible for setting out why and how your candidate data is processed.
The ATS supplier takes on the role of Data Processor. This means if they aren’t processing your data in line with regulations, this could result in data breaches and penalties. For both of you.
As a Data Processor (DP), your potential ATS provider must demonstrate they understand their responsibilities. These include:
- The Data Processor can only process data in line with the Data Controller’s (that’s you!) instructions.
- They must enter into a contract with the Data Controller and comply with their Processor obligations within that contract.
- The DP cannot appoint a sub-processor without your consent or general authorisation.
- They must put measures in place to protect and secure your data.
- The DP must comply with data breach notification processes
- And more… which you can read here on the ICO’s excellent website.
Ask: What functionality does the ATS include to help you meet your meet Data Controller obligations?
You will need to establish your legal basis for processing candidate data. Often in recruitment, this is ‘Consent’ or ‘Legitimate Interests’. If you are using the former, you will need to ensure your potential ATS can obtain consent from candidates at the point of application and retain this information for audit purposes.
If you are using ‘Legitimate Interests’ as your legal basis for processing, you must be able to display a privacy notice on your application forms for candidates to review and acknowledge. Again, can a potential ATS supplier provide this?
Candidates should have the ability to access or update their personal data – or should they wish, withdraw it altogether and request to be archived or deleted. You need to be confident your ATS is able to handle these requests adequately.
Ask: What is the provider’s approach to Information Security?
You need to be confident that not only is your ATS provider talking the talk on Information Security, but also walking the walk. A reputable ATS provider should have a full Information Security Management System (ISMS), with policies supporting everything from Data Protection to Incident Reporting.
Ask about any accreditations a potential supplier has. Are they ISO 27001 accredited, for example? This is a framework of standards for the management of security assets.
Your IT or Procurement team may also want a potential ATS supplier to complete an Information Security questionnaire or audit as part of your selection process.
When you’re choosing a new ATS, you need to be confident in a supplier’s approach to Data Protection and Information Security. These three questions are just a starting point, but they should provide a good steer on whether a potential supplier understands their role as a Data Processor, and whether their technology can help you meet your responsibilities as Data Controller.
Disclaimer: The information in this blog post concerning technical legal or professional subject matter is for guidance only, and does not constitute legal or professional advice. Always consult a suitably qualified lawyer on any specific legal problem or matter.
Find out more
Discover more hints, tips and checklists in our Choosing an ATS guide.
Download it here today!
Simply fill out the form below and we’ll deliver your guide to your inbox in a flash.
Interested in finding out more about Data Protection? Read this guide from the Information Commissioner.
 ICO (2019) https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp-guidance.pdf