GDPR Compliant Applicant Tracking System (ATS)

Typically, you will use the Data Consent Policy to define the consent that candidates give you to store and process their personal data to secure them a job. Your policy is completely customisable; you can define its’:

• Name
• Description
• Duration (retention period)

Also, you can define how to handle candidates whose consent is approaching the end of its validity period – enabling you to send automatic reminders that encourage candidates to re-consent.

You can set reminders to start sending (x) days before the consent expiry and send further reminders every (y) days after that.  If the candidate still fails to respond, you can automatically send a final email confirming that their consent has expired and what will happen next with their data.

You can also create exclusions for your Data Consent policy. An Exclusion is a filter that defines the criteria of the candidates that can be excluded – for example; you may want to create a filter that finds Non-EU candidates within your Eploy database and exclude them from your Data Consent policy or where you can show that you have a legitimate interest for processing candidate personal data.

You can use exclusions where you may have a different legal basis for storing and processing personal information – for example; retaining new hire information for a period or retaining applications can constitute valid legal basis under the GDPR. We advise that you talk to your Data Protection Officer (DPO) to understand the different legal basis you may have for storing and processing different categories of candidates and then create exclusions within Eploy’s Consent Manager.

There are good reasons why you might not want to completely delete all information stored about a specific candidate from your database. A good example of this is your metrics and analytics – consider, for example Candidate Source (where did they hear about the role?; which job board etc) – if you delete the candidate record you are likely to lose this important information – meaning your stats are less accurate. 

Rather than lose this ‘non-personal’ data – you can set expired candidates to be anonymised, automatically, within your Eploy database. With anonymisation, all personal data fields, notes and comments are anonymised, all CVs and other files associated with the candidate are deleted, leaving only pertinent, non-personally identifiable data. This will maintain the integrity of your stats, metrics and KPIs that do not rely on personally identifiable information

Anonymisation is set to take place on your preferred day of the month.  In addition, the candidate’s Employment Status will be set to ‘Sent for Anonymisation’. Please note, that once anonymised it will be irreversible.

Eploy’s Consent Manager enables you to configure which specific checks you want your system to perform when contacting candidates in your database:

Checks can be created for:

• Emailing the candidate
• Sending SMS messages to the candidate

• We’ve added consent tools that help you when working directly with Candidate data within the Eploy System.

  Within the Candidate Summary page we’ve added a new pop-over for consents – this will show which preferences each candidate has specifically opted in for.

• However, as a fail-safe, Eploy also stores a history of all consent changes, so if a candidate challenges the validity of a consent you will be able to refer back to the history to identify who edited it and when.

Eploy's comprehensive GDPR suite was crowned the 2019 OnRec Technical Innovation Award winner at the annual OnRec Awards in London, March 2019.