Site icon SmartRecruiters Blog

GDPR: Does Your ATS Vendor Have You Covered?

We are mere days away from the European Union’s game-changing data privacy legislation. If you’re in Talent Acquisition, your first question is whether your ATS is a strength or a liability.

For citizens of the European Union, the General Data Protection Legislation (GDPR) will protect and enforce how their private data is used and stored online, anywhere in the world. In the wake of the Cambridge Analytica/Facebook scandal and growing malaise about online organizations monetizing user profiles, new rules from Brussels are, for once, largely welcome by netizens.

For companies that do business with the EU, or employ even one EU citizen of 500 million, becoming GDPR-compliant before May 25th has been everything from a mild headache, a few extra legal bills, to a complete overhaul of how customer/employee data is stored.

Whether in Europe or elsewhere, you may have noticed several changes to your favorite sites and platforms’ Terms and Conditions recently. Not that you went and checked. Everyone from Facebook to Twitter to LinkedIn has been emailing, and with various shades of marketing-speak, asking you politely and humbly to update your service agreements. And GDPR is the reason.

Talent Acquisition leaders, has your Applicant Tracking System done the same? If not, you could be in trouble. And with maximum penalties for non-compliance set at 4% of last year’s annual gross, or €20 million, whichever is higher, those who’ve ostriched themselves from the hassle could potentially face bankruptcy.

A whopping 70% of those surveyed said they weren’t ready for GDPR, and a lacking, lagging ATS is as big a part of the problem as human indifference.

HR and Recruiting are the great crossroads of GDPR. Our business is based on collecting and analyzing personal data, so we have to be extra-vigilant. Now that GDPR is real, SmartRecruiters (in GDPR terms, the Data Processor) wanted to see if everyone, or anyone, in the field had put in the same amount of work we have into being GDPR compliant. We surveyed a group of 30 TA professionals who use various ATS vendors, to see how clear they were on GDPR compliance and where they may have missed some details. The results were, well, not great.

But don’t freak out just yet. Let’s start with the basics. GDPR requires TA departments (the Data Controller) to store information on candidates (Data Subjects) with their consent. This could be a fix as easy as adding a second T&C button that gives you permission to store their data, which, by them wanting to send you their CV in the first place should be fine. GDPR just means you have to have their clear and unambiguous consent, and if they ever ask you to delete their data, you have to be able to prove you have. Easy enough, but 32% of respondents didn’t know if their ATS was capable of that, over 50% didn’t if, when, or how a candidate’s consent was obtained or stored. Ten percent were certain their ATS did none of this. Yikes. This is compliance 101, people. And given the reams of often ambiguous clauses in the regulation, relatively easy to patch.

If you’ve got your candidate-facing front-end covered, it’s time to look at who exactly has access to the data you store. Our respondents scored a little better here, with 90% of them aware of access limits to the data stored on their ATS. However, 20% said they kept no log of who in their organization had access to the personal data at what time, and that’s a GDPR no-no.

While 72% of surveyed confirmed their ATS kept logs of interview feedback and recruiting notes throughout the hiring process – if not satisfying the GDPR demand for “transparency”, at least proof of operating on good faith, which the more overarching of regulations value highly. They know better than anyone how hard full compliance will be. The big problem here is that 61% said they didn’t know whether the same data sets were transferred to third party vendors, like payroll or onboarding applications. That’s a problem. It’s precisely this kind of hole that regulators will consider a data breach – and under GDPR, reporting a data breach is mandatory.

If you’re wondering about the compliance capability of your ATS, ask yourself whether your ATS allows you to

In regards to candidate data processing, does your ATS

For data security, can your ATS provide

If your palms are starting to sweat a bit, your ATS provider should, legally, have all the answers you seek, and if they don’t, well, don’t fall prey to the sunk-cost fallacy. Get out asap and sign on with an ATS vendor that knows what they’re doing.

We’re pretty sure we can recommend someone to help you with that.

Write to us at SmartRecruiters for your free GDPR-compliance assessment.

*A Works council is a body of employees elected to represent their fellow employees. Works councils exist in many European countries, including United Kingdom, Germany, Austria, the Netherlands, France and Spain.

 

Exit mobile version