Why UK Companies Face Unique GDPR Challenges in Recruitment

If you run a recruitment process in the United Kingdom, you already know that data protection law did not disappear after Brexit. What you may not fully appreciate is how much more complex your obligations have become since 1 January 2021.

Before Brexit, UK employers operated under a single framework: the EU General Data Protection Regulation. Today, they must contend with the UK GDPR (a domesticated version of the EU regulation retained in UK law), the Data Protection Act 2018 (DPA 2018), and — if they recruit candidates from the EU or EEA — the original EU GDPR as well. That means two parallel regulatory regimes, two supervisory authorities, and potentially two sets of requirements for international data transfers.

For HR teams using an applicant tracking system, this creates a real and practical problem. Your ATS is the central repository for candidate personal data: CVs, contact details, interview notes, evaluation scores, offer letters. If that system is not configured to meet UK GDPR requirements specifically, you are exposed to enforcement action from the Information Commissioner's Office (ICO), which has the power to impose fines of up to £17.5 million or 4% of annual global turnover.

This guide is written for UK-based employers — whether you are a 20-person startup in Manchester or a 5,000-employee enterprise in London — who need to understand exactly what a GDPR-compliant ATS looks like under the current UK legal framework. We will cover the differences between UK GDPR and EU GDPR, the lawful bases available for processing candidate data, data retention periods, candidate rights, automated decision-making rules, international transfer mechanisms, and a practical compliance checklist you can use to audit your own system. If you are still in the process of selecting a platform, our guide to the best recruitment software for UK companies covers the compliance credentials of each major ATS option side by side.

UK GDPR vs EU GDPR: What Actually Changed After Brexit

The UK left the EU's data protection framework on 31 December 2020. Rather than starting from scratch, the UK government transposed the EU GDPR into domestic law through the European Union (Withdrawal) Act 2018, creating what is now referred to as the UK GDPR. The DPA 2018 sits alongside it as the implementing legislation.

In substance, UK GDPR is almost identical to the EU version. The core principles — lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability — remain unchanged. The rights of data subjects are the same. The obligations on data controllers and processors are the same.

Where the differences matter for recruitment teams are primarily structural and jurisdictional:

  • Supervisory authority. The ICO is the sole regulator for UK GDPR. EU data protection authorities (such as France's CNIL or Germany's BfDI) have no jurisdiction over UK-only processing. However, if you recruit EU candidates and process their data, you may fall under EU GDPR as well, meaning you could face enforcement from both the ICO and an EU supervisory authority.
  • International transfers. Under EU GDPR, the UK was treated as a third country after Brexit. The European Commission granted the UK an adequacy decision in June 2021, allowing data to flow freely from the EU to the UK. This adequacy decision is subject to periodic review and could theoretically be revoked. In the other direction, UK GDPR has its own adequacy framework — the UK recognises the EU/EEA as adequate, so transfers from the UK to Europe require no additional safeguards.
  • Representative requirement. Under EU GDPR Article 27, a UK company with no EU establishment that processes EU residents' data must appoint a representative in the EU. This is relevant if your career page attracts applicants from EU countries.
  • Fines. UK GDPR maximum fines are set in pounds sterling (£17.5 million) rather than euros. The practical effect is broadly equivalent.
  • Legislative divergence. The UK government has signalled an intention to reform data protection law through the Data Protection and Digital Information Act. Any future changes could create additional divergence from EU GDPR, requiring UK employers to track two evolving regulatory frameworks.

Practical implication for ATS users

If your company recruits exclusively within the UK, you need to comply with UK GDPR and DPA 2018 only. If you also recruit from EU/EEA countries — posting jobs on EU job boards, accepting applications from EU candidates, or operating offices in the EU — you must ensure your ATS complies with both UK GDPR and EU GDPR. The requirements are nearly identical, but the transfer rules and supervisory authorities differ.

ICO Requirements for Recruitment Data Processing

The ICO has published detailed guidance on employment practices, including recruitment. While the ICO does not prescribe a specific ATS or technical configuration, it does set clear expectations for how organisations should handle candidate data.

The key ICO expectations relevant to your ATS are:

Transparency at the point of collection. When a candidate submits an application — whether through your career page, a job board, or email — they must receive a privacy notice before or at the time their data is collected. This notice must explain: who you are (the data controller), what data you will collect, why you are collecting it (the purpose), the lawful basis you are relying on, how long you will keep the data, who it will be shared with, and what rights the candidate has. Your ATS should either display this notice directly on the application form or link to a standalone recruitment privacy policy.

Records of processing activities (ROPA). Under UK GDPR Article 30, organisations with more than 250 employees (or those carrying out processing that is not occasional) must maintain a written record of their processing activities. Even smaller organisations are strongly encouraged to do so. Your ATS should contribute to this record by documenting what candidate data is collected, the purposes, retention periods, and any third-party sharing.

Data protection by design and by default. Your ATS must be configured so that, by default, only the minimum necessary data is collected and only authorised personnel can access it. This means role-based access controls, field-level permissions where possible, and default settings that favour data minimisation rather than maximum collection.

Security of processing. The ICO expects appropriate technical and organisational measures to protect candidate data. For an ATS, this means encryption in transit (TLS/HTTPS) and at rest, secure authentication (strong passwords, multi-factor authentication), regular security updates, access logging, and incident response procedures. The ICO has taken enforcement action against organisations whose security measures were found to be inadequate, including cases involving recruitment data.

Data Protection Officer (DPO). While not all UK organisations are required to appoint a DPO, you must do so if you are a public authority, if your core activities involve large-scale systematic monitoring of individuals, or if your core activities involve large-scale processing of special category data. Recruitment agencies processing high volumes of candidate data may fall into the systematic monitoring category. Even if a DPO is not mandatory, the ICO recommends designating someone with responsibility for data protection compliance.

Lawful Basis for Processing Candidate Data: Consent vs Legitimate Interest

Choosing the correct lawful basis is one of the most consequential decisions you will make when configuring your ATS. Under UK GDPR Article 6, you must identify at least one lawful basis before processing any candidate personal data. The two bases most commonly used in recruitment are legitimate interest and consent.

Legitimate Interest (Article 6(1)(f))

Legitimate interest is often the most appropriate basis for processing applications during an active recruitment process. The reasoning is straightforward: your organisation has a genuine need to evaluate candidates for a vacancy, and this need does not, in most circumstances, override the candidate's rights and interests.

However, relying on legitimate interest requires you to complete a Legitimate Interest Assessment (LIA) — a documented analysis with three parts:

  1. Purpose test: Is there a legitimate interest behind the processing? (Yes — evaluating candidates for employment.)
  2. Necessity test: Is the processing necessary to achieve that purpose? (Yes — you cannot evaluate an application without reading the CV and contact details.)
  3. Balancing test: Do the individual's interests, rights, or freedoms override your legitimate interest? (Generally no, provided you are processing data proportionately and transparently.)

Your ATS should store or reference these LIAs so you can demonstrate compliance if the ICO asks. Legitimate interest is well-suited for: reviewing applications, scheduling interviews, conducting reference checks (with the candidate's knowledge), and sharing candidate profiles with hiring managers within your organisation.

Consent (Article 6(1)(a))

Consent is more appropriate when the processing goes beyond the candidate's reasonable expectation. Common examples in recruitment include:

  • Retaining candidate data in a talent pool after a vacancy has been filled — the original purpose (evaluating the application) has concluded, so you need a new lawful basis to keep the data for future opportunities.
  • Sharing candidate data with third-party recruitment agencies or group companies in other jurisdictions.
  • Using candidate data for marketing purposes, such as sending newsletters about company culture or future openings.
  • Processing special category data (disability status for reasonable adjustment purposes, diversity monitoring) — here, explicit consent under Article 9(2)(a) is typically needed unless another Article 9 exemption applies.

Under UK GDPR, consent must be freely given, specific, informed, and unambiguous. Pre-ticked checkboxes do not constitute valid consent. Your ATS application forms must present consent as a genuine choice, and you must make it as easy to withdraw consent as it was to give it. Critically, the ICO takes the position that consent is unlikely to be freely given in employment contexts where there is a power imbalance — so for current employees, consent is often unreliable. For job applicants (who are not yet in an employment relationship), consent is more defensible, but should still be handled carefully.

Pre-contractual Measures (Article 6(1)(b))

A third option — sometimes overlooked — is processing necessary for taking steps at the candidate's request prior to entering into a contract. When a candidate applies for a job, they are asking you to consider them for employment. Evaluating their application can be characterised as a pre-contractual step. This basis is cleaner than legitimate interest in some respects (no LIA required), but the ICO has noted that it should not be stretched beyond what the candidate would reasonably expect.

Recommended approach for UK employers

Use legitimate interest or pre-contractual measures as the lawful basis for processing active applications. Use explicit consent for talent pooling, data retention beyond the recruitment cycle, and any processing of special category data. Document your choice of lawful basis for each processing activity in your recruitment privacy policy and configure your ATS accordingly.

Data Retention Periods: How Long You Can Keep Candidate Data

UK GDPR does not prescribe a specific retention period for recruitment data. The storage limitation principle (Article 5(1)(e)) simply says that personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed.

This means you must define and justify your own retention period. The ICO expects you to have a documented data retention policy that explains how long you keep candidate data and why.

Here is what UK industry practice and ICO guidance suggest:

During the Active Recruitment Process

You may process candidate data without additional restrictions while the vacancy is open and the hiring decision has not been made. The lawful basis (legitimate interest or pre-contractual measures) covers this period fully.

After the Vacancy Is Filled: Unsuccessful Candidates

The commonly adopted retention period in the UK is 6 months after the position is filled. This accounts for the Equality Act 2010 limitation period — a candidate who believes they were discriminated against in the recruitment process has up to 6 months (with a possible 3-month extension) to bring an employment tribunal claim. Retaining data for this period allows you to defend against such claims.

Some organisations extend this to 12 months, which provides a larger buffer for potential legal proceedings. Beyond 12 months, retaining unsuccessful candidate data without explicit consent becomes difficult to justify.

Talent Pool Retention

If you want to keep a candidate's data for future opportunities — building a talent pool — you need the candidate's explicit consent and must specify how long you intend to keep their data. A common approach is to seek consent for a defined period (e.g., 12 or 24 months) and then contact the candidate before the period expires to ask if they wish to renew their consent.

Successful Candidates

For candidates who are hired, their recruitment data typically becomes part of their employee record and is subject to employment data retention rules. The usual practice is to retain employee records for the duration of employment plus 6 years (to cover the statutory limitation period for contractual claims).

Automated retention management in Treegarden

Treegarden allows you to configure data retention periods per job, per pipeline stage, and per candidate category. When a retention period expires, the system automatically flags the record for review and can trigger anonymisation or deletion based on your policy settings. Every retention action is logged in a tamper-proof audit trail, giving you the documentation you need to demonstrate compliance to the ICO.

Candidate Rights Under UK GDPR and How Your ATS Must Support Them

UK GDPR grants candidates (as data subjects) a set of specific rights that your ATS must be capable of fulfilling. Failure to respond to a rights request within the statutory timeframe — generally one calendar month — is itself a compliance violation.

Right to be informed (Articles 13-14). Candidates must be told, at the point of data collection, who is processing their data, why, on what legal basis, for how long, and what rights they have. Your ATS career page and application forms must display or link to a clear privacy notice.

Right of access (Article 15). A candidate can request a copy of all personal data you hold about them — known as a Subject Access Request (SAR). Your ATS must allow you to locate and export all data associated with a specific candidate: their application, CV, emails, interview notes, evaluation scores, and any internal comments. You have one month to respond.

Right to rectification (Article 16). Candidates can ask you to correct inaccurate data or complete incomplete data. Your ATS should make it straightforward to update candidate records and log the change.

Right to erasure (Article 17). Also called the "right to be forgotten," this allows candidates to request deletion of their data when the processing purpose has ended, when they withdraw consent, or when they object to processing. Your ATS must support complete deletion or anonymisation of a candidate's record — not just archiving or hiding it. Read our detailed guide on managing erasure requests in your ATS.

Right to data portability (Article 20). Candidates can request their data in a structured, commonly used, machine-readable format (such as CSV or JSON). This right applies when processing is based on consent or contract and carried out by automated means. Your ATS should offer data export functionality that produces clean, portable output.

Right to restrict processing (Article 18). In certain circumstances, a candidate can ask you to stop processing their data while a dispute is resolved (for example, while you verify the accuracy of their data). Your ATS should allow you to flag a record as restricted, preventing further processing while keeping the data stored.

Right to object (Article 21). Where you rely on legitimate interest as your lawful basis, the candidate can object to the processing. You must then stop processing unless you can demonstrate compelling legitimate grounds that override the candidate's interests. Your ATS should facilitate the recording and handling of objections.

Built for UK GDPR Compliance

Treegarden gives UK employers the tools to handle every candidate right — erasure, portability, access requests — from a single dashboard, with full audit logging. Book a free demo to see how it works with your recruitment workflow.

Automated Decision-Making and AI in UK Recruitment (Article 22)

Article 22 of UK GDPR gives individuals the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects or similarly significant effects concerning them. Recruitment decisions clearly fall into this category: being automatically rejected from a job has a significant effect on the candidate.

This creates specific constraints on how your ATS can use automation and artificial intelligence:

What Is Prohibited

  • Fully automated rejection. If your ATS automatically filters out candidates based on keyword matching, AI scoring, or algorithmic screening without any human review, and those candidates are rejected as a result, you are likely violating Article 22. The decision to reject a candidate must involve meaningful human oversight — not just a rubber stamp on an automated recommendation.
  • Automated shortlisting without disclosure. Even if a human makes the final decision, if the shortlist presented to the hiring manager was generated entirely by an algorithm, the candidates have a right to know that automated processing was involved and to request human intervention.

What Is Permitted

  • AI-assisted scoring as a decision-support tool. Your ATS can use AI to score or rank candidates, provided the scores are presented as recommendations that a human recruiter reviews. The recruiter must have genuine discretion to override the AI's recommendation.
  • Automated communications. Sending automated acknowledgement emails, interview scheduling confirmations, or status updates is not a "decision" under Article 22 and is permissible.
  • CV parsing and data extraction. Automatically extracting structured data (name, email, work history) from uploaded CVs is processing, not decision-making, and does not trigger Article 22 protections.

Transparency Requirements

Regardless of whether your automated processing falls under Article 22, you must tell candidates that automation is involved. Under Articles 13 and 14, your privacy notice should describe: the existence of automated decision-making, meaningful information about the logic involved, and the significance and envisaged consequences for the candidate. You do not need to reveal your proprietary algorithm, but you must explain what it does in plain language — for example, "We use AI to compare your CV against the job requirements and generate a compatibility score. This score is one of several factors our recruiters consider when reviewing applications."

How Treegarden handles Article 22

Treegarden's AI Match Score is designed as a decision-support tool, not an automated gatekeeper. AI scores are displayed alongside candidate profiles as one data point among many. No candidate is automatically rejected based on an AI score. Recruiters always make the final decision, and the system logs who made each pipeline movement. This architecture satisfies Article 22 requirements by ensuring meaningful human involvement at every decision point.

International Data Transfers: UK Rules Post-Brexit

If your ATS provider hosts data outside the UK, or if you share candidate data with offices, agencies, or hiring managers in other countries, you are making an international data transfer. UK GDPR Chapter V governs these transfers.

Transfers to the EU/EEA

The UK government has recognised the EU/EEA as providing adequate protection. Transfers from the UK to any EU/EEA country require no additional safeguards. This is the simplest scenario.

Transfers to Other Adequate Countries

The UK maintains its own list of countries that it considers to provide adequate data protection. As of early 2026, this includes countries such as Japan, South Korea, Canada (for commercial organisations), Israel, New Zealand, Switzerland, and others. Transfers to these countries are permitted without additional safeguards.

Transfers to Non-adequate Countries

For transfers to countries without an adequacy decision — including the United States (unless the UK Extension to the EU-US Data Privacy Framework applies) — you must use an approved transfer mechanism:

  • International Data Transfer Agreement (IDTA). This is the UK's standalone replacement for Standard Contractual Clauses. It is a standardised contract between the data exporter (you) and the data importer (the ATS provider or overseas office).
  • UK Addendum to EU SCCs. If your ATS provider already uses EU Standard Contractual Clauses, you can add the UK Addendum to extend their coverage to UK GDPR transfers.
  • Binding Corporate Rules (BCRs). For multinational organisations transferring data within a corporate group.
  • Transfer Risk Assessment (TRA). Alongside any transfer mechanism, the ICO expects you to conduct a TRA to evaluate whether the destination country's laws and practices provide adequate protection in practice — not just on paper.

Data residency with Treegarden

Treegarden hosts all customer data within EU data centres, covered by the UK's adequacy recognition of the EU. This means transfers from UK companies to Treegarden require no additional safeguards — no IDTA, no TRA, no Addendum. Your candidate data stays within a jurisdiction the UK government has already assessed as providing adequate protection.

Special Category Data in UK Recruitment

Special category data — defined in UK GDPR Article 9 — includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, and data concerning sex life or sexual orientation.

In recruitment, you may encounter special category data in several situations:

  • Diversity and equality monitoring. Many UK employers collect information about ethnicity, gender, disability, and sexual orientation for equality monitoring purposes. Under the Equality Act 2010, this is lawful provided the data is processed for statistical monitoring and is not used in the hiring decision.
  • Disability and reasonable adjustments. A candidate may disclose a disability during the application process to request reasonable adjustments for an interview or assessment.
  • Health screening. Some roles (healthcare, transport, safety-critical positions) require pre-employment health checks.
  • Criminal records. While not technically special category data under UK GDPR, criminal records data receives additional protection under DPA 2018 Section 10 and requires an appropriate policy document.

Your ATS must handle special category data with extra care. Best practices include:

  • Collecting diversity monitoring data on a separate form that is not visible to hiring managers — your ATS should enforce this separation structurally, not just procedurally.
  • Obtaining explicit consent for processing special category data, or identifying another Article 9 condition (such as the employment law exemption under Article 9(2)(b) read with DPA 2018 Schedule 1).
  • Storing special category data with enhanced access controls — restricting access to HR personnel only, with field-level permissions.
  • Including special category data in your deletion schedule — diversity monitoring data should be anonymised or deleted when it is no longer needed for its stated purpose.

ICO Enforcement: What UK Employers Have Faced

The ICO's enforcement record provides concrete examples of what happens when organisations fail to protect personal data in employment contexts. While not all of these cases involve recruitment specifically, they illustrate the ICO's approach and priorities:

  • Inadequate security measures. The ICO has fined organisations for failing to implement basic security controls — weak passwords, unencrypted data, lack of access controls. If your ATS allows unlimited access to all candidate data by all employees, you are at risk.
  • Failure to respond to SARs. The ICO regularly reprimands organisations that fail to respond to Subject Access Requests within the one-month timeframe. If your ATS makes it difficult to locate and export a specific candidate's data, this becomes an operational problem that could lead to a regulatory one.
  • Excessive data retention. Keeping candidate data indefinitely — the "we might need it someday" approach — has been flagged by the ICO as a violation of the storage limitation principle. If your ATS has no automated deletion or review mechanism, old candidate data accumulates and creates liability.
  • Unlawful data sharing. Sharing candidate data with third parties without a lawful basis or without informing the candidate has resulted in enforcement action. This includes sharing CVs with hiring managers at partner companies, forwarding applications to overseas offices, or using recruitment agencies without proper data processing agreements.

The ICO's enforcement powers include: assessment notices (compelling you to submit to an audit), enforcement notices (requiring you to take specific remedial action), penalty notices (fines), and prosecution for criminal offences under DPA 2018.

GDPR Compliance Checklist for Your ATS

Use this checklist to audit your current ATS against UK GDPR requirements. For each requirement, we have included what to check and examples of compliant vs non-compliant configurations.

Requirement What to Check in Your ATS Compliant Example Non-Compliant Example
Privacy notice at collection Application form displays or links to a recruitment-specific privacy notice before submission Link to full privacy policy with recruitment section, displayed above the submit button No privacy notice; general website terms buried in footer
Lawful basis documented Each processing activity has an identified and recorded lawful basis Legitimate interest for active applications; explicit consent for talent pool retention No documented lawful basis; vague reference to "business purposes"
Consent mechanism Consent checkboxes are unticked by default; separate checkboxes for separate purposes Separate unticked checkbox: "I consent to my data being retained for 12 months for future vacancies" Pre-ticked checkbox; single checkbox covering all purposes
Data minimisation Application forms collect only data relevant to the role Name, email, CV, cover letter, right-to-work status Mandatory fields for marital status, religion, national insurance number at application stage
Retention policy & automation Configurable retention periods with automated deletion or flagging Automatic anonymisation of unsuccessful candidates after 6 months; email reminder before deletion No retention policy; candidate data kept indefinitely by default
Subject Access Request (SAR) handling Ability to search, export, and compile all data for a specific candidate within days One-click export of all candidate data (application, emails, notes, scores) in PDF or CSV Manual search across multiple disconnected systems; takes weeks to compile
Right to erasure support Complete deletion or anonymisation of all candidate data, including backups within a reasonable period One-click anonymisation that removes PII while preserving aggregate pipeline statistics Data "hidden" in the interface but still stored in the database; no backup deletion process
Access controls Role-based permissions limiting who can view, edit, or export candidate data Hiring managers see only candidates for their vacancies; HR admins have full access; audit log of all views All employees have unrestricted access to all candidate data across all departments
Encryption Data encrypted in transit (TLS 1.2+) and at rest (AES-256 or equivalent) HTTPS enforced on all pages; database encryption enabled; CV files encrypted at rest HTTP connections allowed; plain-text database storage; CVs stored on unencrypted file server
Audit trail Chronological log of all actions taken on candidate records Timestamped log: who viewed, edited, moved, shared, or deleted each candidate record No logging; impossible to determine who accessed or modified candidate data
Automated decision-making disclosure Privacy notice describes any AI/algorithmic screening; human review before rejection Privacy notice explains AI scoring; recruiter reviews all applications before decisions are made AI silently auto-rejects candidates below a threshold; no disclosure in privacy notice
International transfer safeguards Data hosting location documented; transfer mechanism in place for non-adequate countries ATS hosted in EU (UK adequacy); IDTA in place for any sub-processors in non-adequate jurisdictions No idea where ATS stores data; no transfer mechanism documentation
Data processing agreement Signed DPA with your ATS provider covering Article 28 requirements DPA specifying processing scope, security measures, sub-processor list, breach notification obligations No DPA; relying on generic terms of service with no data protection provisions

When You Need a Data Protection Impact Assessment

A Data Protection Impact Assessment (DPIA) is a structured process for identifying and mitigating data protection risks. Under UK GDPR Article 35, a DPIA is mandatory when processing is likely to result in a high risk to individuals' rights and freedoms.

The ICO has published a list of processing operations that require a DPIA. In the context of recruitment, a DPIA is likely required if your ATS involves:

  • Systematic evaluation or scoring of candidates — including AI-based ranking, competency scoring, or psychometric profiling.
  • Processing on a large scale — if you recruit hundreds or thousands of candidates per year, you are processing personal data at scale.
  • Processing of special category data — diversity monitoring, disability disclosures, health screening.
  • Automated decision-making with significant effects — any AI or algorithmic screening that influences hiring decisions.
  • Novel use of technology — video interview analysis, sentiment analysis, social media screening.

A DPIA is not a one-time exercise. You should review and update it whenever you significantly change how your ATS processes data — for example, when you enable a new AI feature, integrate with a new job board, or change your data hosting provider.

The DPIA should document: a description of the processing, the necessity and proportionality assessment, an assessment of risks to candidates, and the measures you are taking to mitigate those risks. Keep the completed DPIA on file — the ICO can request to see it at any time.

The Data Processing Agreement With Your ATS Provider

Under UK GDPR Article 28, when you use an ATS provider, you are a data controller and the ATS provider is a data processor. You must have a written contract — a Data Processing Agreement (DPA) — that sets out the terms of the processing.

A compliant DPA must include:

  • Subject matter and duration: What data is processed, for what purpose, and for how long.
  • Nature and purpose: A clear description of the processing activities (hosting candidate data, sending emails on your behalf, generating reports).
  • Types of personal data: Names, contact details, CVs, interview notes, evaluation scores, etc.
  • Categories of data subjects: Job applicants, referees, interviewers.
  • Obligations of the processor: Processing only on your instructions, implementing appropriate security measures, assisting with SARs and DPIAs, notifying you of data breaches without undue delay.
  • Sub-processors: A list of any third parties the ATS provider uses (cloud hosting, email delivery, analytics), with a mechanism for you to object to new sub-processors.
  • Data deletion or return: What happens to your data when the contract ends — the processor must delete or return all personal data at your choice.
  • Audit rights: Your right to audit or inspect the processor's compliance with the DPA.

Before selecting an ATS, ask the provider for their DPA. If they cannot produce one, or if it does not cover these Article 28 requirements, that is a significant red flag. A reputable ATS provider will have a standard DPA ready and will be transparent about their security measures and sub-processor list.

Data Breach Notification: Your Obligations

If your ATS suffers a data breach — whether through a cyberattack, accidental exposure, or unauthorised access — you have specific obligations under UK GDPR Articles 33 and 34.

Notification to the ICO (Article 33). You must notify the ICO within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. The notification must include: the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address it.

Notification to affected individuals (Article 34). If the breach is likely to result in a high risk to individuals' rights and freedoms, you must also notify the affected candidates directly, without undue delay. This applies when the breach involves sensitive personal data, financial data, or data that could be used for identity fraud.

Your ATS provider's DPA should include a breach notification clause requiring them to inform you of any breach without undue delay — ideally within 24 hours — to give you time to assess the breach and notify the ICO within the 72-hour window.

Practical steps to prepare for a breach scenario:

  • Maintain an incident response plan that covers recruitment data breaches specifically.
  • Ensure your ATS provider has breach detection capabilities — intrusion detection, access anomaly monitoring, real-time alerts.
  • Keep a breach register documenting all breaches (including minor ones that did not require ICO notification) as evidence of your accountability obligations.
  • Test your response plan with a tabletop exercise at least annually.

Practical Steps to Make Your ATS UK GDPR-Compliant

If you are reviewing or selecting an ATS for your UK organisation, here is a practical implementation roadmap:

Step 1: Audit your current data flows. Map every piece of candidate data your organisation collects, where it comes from (career page, job boards, referrals, recruitment agencies), where it is stored, who has access, how long it is kept, and whether it is shared with third parties. This data mapping exercise is the foundation of compliance.

Step 2: Define your lawful basis for each processing activity. Document whether you are relying on legitimate interest, consent, or pre-contractual measures for each category of processing. Create or update your Legitimate Interest Assessments.

Step 3: Write or update your recruitment privacy notice. Ensure it covers all the information required by Articles 13 and 14, written in clear and plain language. Publish it on your career page and link to it from every application form.

Step 4: Configure retention periods in your ATS. Set up automated deletion or anonymisation schedules aligned with your documented retention policy. Treegarden allows you to configure these at the job level, giving you flexibility to apply different retention periods to different vacancy types.

Step 5: Enable and test candidate rights workflows. Verify that your ATS can handle SARs, erasure requests, rectification requests, and portability requests within the one-month timeframe. Run test scenarios to measure response time.

Step 6: Review your ATS provider's DPA and security measures. Confirm that the DPA covers all Article 28 requirements. Verify the provider's security certifications (ISO 27001, SOC 2), data hosting location, and sub-processor list.

Step 7: Conduct a DPIA if required. If your recruitment processing meets the DPIA threshold (large-scale processing, automated scoring, special category data), complete and document a DPIA before going live.

Step 8: Train your team. Ensure every person who uses the ATS understands the basics of UK GDPR as it applies to recruitment: what data they can collect, how long it can be kept, how to handle a candidate's rights request, and what to do if they suspect a data breach. Document this training.

Step 9: Schedule regular reviews. Data protection compliance is not a one-time project. Review your DPIA, retention settings, privacy notice, and DPA at least annually, and whenever you make significant changes to your recruitment process or ATS configuration.

Ready to See a GDPR-Compliant ATS in Action?

Treegarden is built for UK employers who take data protection seriously. Configurable retention periods, one-click erasure, full audit trails, role-based access, and EU-hosted infrastructure — all included. Schedule a free demo and see how Treegarden handles UK GDPR compliance out of the box.

Related Reading

Frequently Asked Questions

Does UK GDPR still apply after Brexit?

Yes. The UK retained GDPR in domestic law through the Data Protection Act 2018 and the UK GDPR (a modified version of the EU regulation). The Information Commissioner's Office (ICO) continues to enforce data protection law in the UK. UK companies that process candidate personal data must comply with UK GDPR, and those also handling EU candidates' data must additionally comply with the EU version.

What is the lawful basis for processing candidate data in a UK ATS?

The most common lawful bases for processing candidate data under UK GDPR are legitimate interest (Article 6(1)(f)) and consent (Article 6(1)(a)). Legitimate interest typically covers processing applications for active vacancies, while consent is more appropriate for retaining candidate data in talent pools beyond the original recruitment purpose. Pre-contractual measures (Article 6(1)(b)) may also apply when the processing is necessary to take steps before entering an employment contract.

How long can UK employers keep candidate data in an ATS?

The ICO does not prescribe a fixed retention period, but expects organisations to justify whatever period they choose. Industry best practice in the UK is 6 to 12 months after the conclusion of a recruitment process for unsuccessful candidates. If you wish to retain data longer — for example, in a talent pool — you need a separate lawful basis, typically explicit consent. Your ATS should allow you to configure automatic deletion or anonymisation schedules aligned with your retention policy.

Can my ATS use AI to screen candidates under UK GDPR?

Yes, but with important safeguards. Article 22 of UK GDPR gives individuals the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. If your ATS uses AI to auto-reject candidates without human review, this likely violates Article 22. The safe approach is to use AI scoring as a decision-support tool — providing recommendations that a human recruiter reviews and acts upon — rather than as a fully automated gatekeeper.

What happens if my ATS provider stores data outside the UK?

International data transfers from the UK are governed by UK GDPR Article 46 and the UK's own adequacy framework. Transfers to countries with a UK adequacy decision (including the EU/EEA) are permitted without additional safeguards. For other countries, you must use an approved transfer mechanism such as the International Data Transfer Agreement (IDTA), the UK Addendum to EU Standard Contractual Clauses, or Binding Corporate Rules. Your ATS provider should clearly state where data is hosted and what transfer mechanisms are in place.

Do I need to conduct a DPIA for my recruitment ATS?

A Data Protection Impact Assessment (DPIA) is required under UK GDPR Article 35 when processing is likely to result in a high risk to individuals' rights and freedoms. If your ATS processes large volumes of candidate data, uses automated profiling or scoring, or handles special category data, a DPIA is strongly recommended. The ICO has published specific guidance listing types of processing that require a DPIA, and systematic evaluation of candidates through automated means is explicitly included.

How should I handle a candidate's right to erasure request in my ATS?

When a candidate submits a right to erasure request (also known as the right to be forgotten), you must respond within one calendar month. Your ATS should allow you to locate all data associated with that candidate — applications, CV files, interview notes, emails, evaluation scores — and delete or anonymise it completely. You should maintain a record that the erasure request was fulfilled (without retaining the personal data itself) as evidence of compliance. Treegarden provides a one-click erasure workflow that handles this automatically while preserving the compliance audit log.

Is consent or legitimate interest better for recruitment processing in the UK?

It depends on the context. For processing applications to fill an active vacancy, legitimate interest is generally the stronger basis — the ICO recognises that employers have a genuine need to evaluate applicants. For longer-term activities such as talent pooling, marketing future roles to past applicants, or sharing data with third-party agencies, consent is more appropriate because the processing goes beyond the candidate's original expectation. Many UK recruitment teams use a hybrid approach: legitimate interest for the active hiring process, and explicit consent for anything beyond that.

This article was created with AI assistance. Content has been editorially reviewed by the Treegarden team.