The European Union’s (EU) sweeping new data privacy law, the “General Data Privacy Regulation” (GDPR), took effect on May 25, 2018, and has wide-ranging implications for companies operating both within and outside the EU. In order to assist with compliance, NT Lakis attorneys have prepared a guide that focuses on the possible compliance implications for data collected and stored in applicant tracking systems (ATS).
Our guide assumes that your organization utilizes third-party, online platforms in its sourcing and recruiting processes, predominantly an ATS. The information contained in the guide, however, is equally applicable to other platforms such as “candidate relationship management” platforms and proprietary systems.
A threshold question is whether or not the GDPR applies at all to your ATS and/or other sourcing/recruiting processes. If you determine that it does, the next step is to determine what data are affected. Compliance with the GDPR requires covered entities to fully understand and document a number of issues regarding the personal data collected from private individuals, including how it is stored, how it is used, who has access, and whether and to what extent individual personal information can or should be deleted in accordance with GDPR requirements. Only then can the company begin to evaluate its compliance posture and identify potential problem areas.
Please note that the GDPR is complex and raises many potential compliance questions that simply cannot yet be answered. This memo provides our initial analysis of how we believe it could impact ATS. At the same time, the guide is not intended to provide legal advice. To the extent that specific GDPR issues arise regarding ATS compliance, legal counsel should be consulted.
The full text of the GDPR can be accessed here.
Members of the Center for Workplace Compliance (CWC) can read more here.