GDPR is coming, Brexit or not. That’s good news. Obviously, from a personal point of view, the intention of GDPR is to give you more control and better access to your personal data. If you use an Applicant Tracking System (ATS) then the news is also good as this puts you ahead of the pack in being prepared for compliance. More good news is that if you have been a responsible data controller or data processor (following best practice in line with the Data Protection Act 1998 (DPA)) then you should already be ready for most of GDPR’s compliance requirements.
There are some new things to consider, so let’s see how an ATS can help:
Understand and document the data:
To make sure you understand the data you hold and how you process it, you should document the following:
- What data do you hold?
- Why do you need it? Is there a legal basis for requiring the information?
- Where does it comes from?
- How do you use it?
- Where does it go?
- How do you get rid of it?
- What are the risks?
This documentation is often referred to as an Information Asset Register (IAR) with risks being determined via a Privacy Impact Assessment (PIA).
If you don’t have an IAR then hopefully the process of implementing an ATS will have left you with some documentation to start from. Even if that isn’t to hand, having an ATS should make it easy to identify the data in the ATS and how you use it. The task will be simplified if the ATS is prioritised as the system of record for recruitment, and if storage of data outside the ATS is minimised.
Even if you have an IAR, you do need to review it to check that all of the data you are collecting is needed and that it is only used and kept for the purposes stated.
Provide a transparent Privacy Statement
The GDPR introduces additional requirements for your privacy statement:
Identify all the personal data you hold. As well as information provided by the individual, that may include observations (e.g. tracking online behavior), derived data (perhaps from combining with other data sets), and inferred data (e.g. suitability for a job).
Explain your legal basis for collecting personal data (this should match your IAR). Being clear about your legal basis will reduce your reliance on candidate’s consent and will be necessary if you want to retain data if a candidate asks for it to be deleted.
Detail retention policies. You may need different retention periods for different data sets.
Explain individuals’ rights and how to go about exercising their rights.
Honour the Individuals’ rights
The rights granted by the DPA have been extended to include data mobility and manual review. An ATS should help support individuals’ rights:
Right to be informed: As well as the Privacy Statement, the ATS can inform the individual at different stages through the recruitment process e.g. consider adding additional guidance text to online forms and status updates.
Right of access: Candidates must be able to review their personal information and be kept informed of the processing of their application. An ATS should support much of this out of the box.
Right to rectification: Individuals should be able to rectify personal data if inaccurate or incomplete. Check that your use of your ATS allows candidates to update their personal data on-line. If the ATS cannot support this then you will have to implement a manual process and inform the candidate how to use the process. The Privacy Statement should include directions for the candidate on how to update their information.
Right to erasure: The DPA 1998 provides the right for the individuals to insist on deletion of data if the processing causes damage or distress. The GDPR removes the condition of damage or distress and gives much more control to the individual. However, you may still be able to retain data if you are not relying on candidate consent to do so e.g. if you have a legal basis for keeping the data and you have explained that legal basis clearly to the candidate via the Privacy Statement.
If you are relying on candidate consent for retaining some data, then you will have to provide the candidate with a mechanism to have the data deleted. For data in an ATS you will probably always want to have a manual review process to accept the request but an ATS should make it easy for you to delete data or anonymise application records. Minimising information kept outside of the ATS, especially avoiding paper information, will simplify procedures.
Right to restrict processing: If there is a challenge (or objection) to the data held (e.g. the candidate challenges that the use of the data is unlawful; or the recruiter is unsure if they should comply with a deletion request) then the data should be restricted from further processing until the challenge is resolved. We would imagine this is a rare occurrence in a well run system but an ATS should be able to flag a record as ‘restricted’ and procedures should adapt accordingly.
Right to data portability: Candidates should be able to obtain and reuse their personal data that they have provided. Ideally a candidate should be able to download their data directly from the ATS but it would be appropriate to make the candidate request a data download and then for you to check the request, perform the download, and then provide that to the candidate. Most ATS systems will already support data download.
Right to object:It must be made clear to candidates how they can object to the processing of their data. This should be in the Privacy Statement and must be made clear to the candidate at the start of processing.
Rights related to automated decision making: For decisions that are made about a candidate and which are based on their personal data, the candidate must be able to ask for and obtain human intervention (e.g. to review an automated decision), express their point of view, and obtain an explanation for any decision made using their personal data. An ATS can still make automated decisions but the candidate must be informed that such automation is part of the recruitment process and be informed of their rights and how to exercise them. This information should be provided in the Privacy Statement.
Your use of personal data may require consent from the candidate. Where consent is required it must be freely given, specific, informed and unambiguous. There must be a positive opt-in requiring an action by the candidate. Implied consent cannot be assumed. (When the EU Cookie Law was introduced, the UK Information Commissioner's Office suggested that implied consent was appropriate. It is clear that this is not the case for GDPR but specific guidance on implications for cookies has not been given yet.)
There are a number of ways of complying. Most obvious would be the paradigm of explanatory text followed by a confirmation checkbox (which must default to unchecked). It is also appropriate to give clear instructions that by entering data into a form, the candidate is giving consent for the data to be used for the purposes described. It must be possible to attribute these actions to a unique individual but an ATS with a secure login process will ensure that.
If a candidate refuses consent for a non-essential use of their data then this must not restrict them from participating in the recruitment process. This means that you may need to make part of your data collection optional and you must be able to adapt your forms and your recruitment process according to the level of consent given. A flexible, highly configurable ATS will help you maximise the data you can collect and the uses you can put it to.
Once again, it will be important that the Privacy Statement addresses these requirements with extra annotation on forms for further explanations.