This guide is a practical UK-GDPR compliance audit for any applicant tracking system (ATS) you run, written for UK SMB recruiters and HR leads under roughly 200 employees. It assumes you are the data controller and your ATS vendor is your processor, which is the normal arrangement for hosted recruitment software. The 14 points below map to the obligations the Information Commissioner's Office (ICO) actually enforces in employment, plus the two regulatory shifts that landed in 2026 and that older checklists miss.
Pricing references reflect mid-2026 list prices and should be confirmed at sign-up. Treegarden's public price page in GBP starts at £235 per month with no setup fee, with higher tiers at £395 and £710; in USD the equivalent tiers are $299, $499 and $899.You evaluate through a guided demo and a working sandbox, which keeps real candidate data out of a self-serve signup while you test the workflow.
What changed for UK recruiters in 2026
Two changes reset the baseline this year, and both touch the ATS directly.
1. Automated decision-making rules were liberalised. The Data (Use and Access) Act 2025 (DUAA) replaced Article 22 of the UK GDPR with new Articles 22A to 22D, and the core reforms took effect on 5 February 2026. The old position was a near-prohibition: a solely automated decision with legal or similarly significant effects (for example auto-rejecting a candidate) was banned unless a narrow exception applied. The default has now flipped to "permitted, provided safeguards are in place", except where special category data is involved, where the prohibition still bites. In recruitment, the ICO's March 2026 guidance on automated decisions in hiring is explicit that if you let software shortlist or reject applicants, you must give each candidate four things: information that automated decision-making is being used, a way to make representations, a route to meaningful human intervention, and a way to contest the outcome. Your ATS has to be able to deliver all four, not just the algorithm.
2. EU-to-UK data flows were secured to 2031. On 19 December 2025 the European Commission renewed the UK adequacy decisions, which now run until 27 December 2031, taking the DUAA changes into account. That means candidate data can keep flowing from the EEA to UK-based systems without extra transfer paperwork, but the renewal carries a sunset clause and a four-year review, so vendor data residency still matters if you ever need to fall back to EU hosting.
One caution that follows from both changes: the UK and EU approaches to automated hiring decisions have now diverged. A UK-compliant screening setup will not automatically satisfy EU GDPR, so if you hire EEA residents, build to the stricter standard.
The 14-point compliance audit
Work through these in order. For each one, the test is not "does the policy exist" but "can the ATS evidence it on demand", because that is what an ICO enquiry or a candidate complaint will ask for.
- Consent and lawful basis are not the same thing. Consent is rarely your strongest basis in recruitment because the power imbalance makes it hard to call freely given. The ICO's recruitment guidance points most employers to legitimate interests or contract for core application processing. Record one lawful basis per purpose before you collect anything.
- Lawful basis recorded per data category. Application and CV data: usually legitimate interests (assessing suitability) or steps towards a contract. Reference checks: legitimate interests. Right-to-Work checks: legal obligation. Special category data (health, ethnicity for monitoring): needs an Article 9 condition on top, and your ATS should store it separately from the hiring decision trail.
- Retention period documented and enforced. Keep unsuccessful applicants' data no longer than necessary. The practical floor is six months, because the Equality Act 2010 gives a rejected candidate roughly that window to bring a discrimination claim and you need the records to defend one. Holding longer (a talent pool) is allowed only if you tell the candidate and let them ask for deletion. Your ATS should run an automated retention timer, not a manual reminder.
- Right of access (Article 15). A subject access request must be answered within one calendar month of receipt, extendable by up to two further months only for genuinely complex or multiple requests, and you must tell the candidate about any extension inside the first month. The ATS should support a clean, one-click export of everything held on one person, including notes and scorecards.
- Right to erasure (Article 17). Honour deletion requests; a documented legal hold can lawfully suspend deletion where you still need the data to defend a claim.
- Right to rectification (Article 16). Candidates can correct their own data, ideally through a self-service portal so corrections do not sit in an inbox.
- Data minimisation. Do not collect data you do not need to make a hiring decision. Drop optional 'date of birth' and any diversity fields from the assessment form, or separate them so they never reach the hiring manager.
- Audit log. Every view, edit, share and export logged with user, timestamp and IP, retained long enough to investigate a complaint.
- Breach notification (Article 33). Notify the ICO without undue delay and no later than 72 hours after you become aware of a notifiable breach; tell affected candidates without undue delay where the risk to them is high. The clock starts when you discover the breach, not when it happened.
- DPIA before automated or high-risk screening (Article 35). A Data Protection Impact Assessment is required before you use systematic automated processing or AI to evaluate candidates. Note the distinction the DUAA preserves: Article 35 governs the DPIA, while Articles 22A to 22D govern the candidate-facing safeguards for the automated decision itself. You need both.
- Data Processing Agreement signed and kept. An Article 28 DPA naming the vendor as processor and you as controller. Signing it once and losing the copy is a common audit failure.
- Sub-processor list maintained. The vendor publishes its sub-processors and notifies you of changes, so you can update your own Article 30 record of processing.
- Data residency understood. Know whether candidate data sits in the UK or EU. US-default hosting needs a valid transfer mechanism on top, even with UK adequacy in place for inbound EU flows.
- Staff training and access control. Everyone with ATS access knows their obligations, and access is scoped by role so a hiring manager cannot see another team's candidates.
How Treegarden handles each point
Treegarden is built EMEA-first, so the UK defaults are switched on rather than configured after the fact. Mapped to the 14 points above:
- Lawful basis and consent (points 1, 2): the UK application form ships with a legitimate-interests-first configuration and a separate, optional talent-pool opt-in, so you are not leaning on shaky blanket consent.
- Retention (point 3): an automated retention timer purges or anonymises unsuccessful applicants on a schedule you set, with a longer clock for anyone who opted into the talent pool.
- Candidate rights (points 4 to 6): one-click subject access export of a candidate's full record, and self-service correction so rectification does not depend on someone reading an inbox.
- Audit and breach (points 8, 9): an immutable audit log on every record action, plus a documented breach process aligned to the 72-hour ICO deadline.
- Automated screening (point 10): Edera AI is positioned as decision support, keeping a human in the loop by design, and a DPIA template plus the Article 22A to 22D candidate safeguards (notice, representations, human review, contest) are provided in the admin console.
- Processor obligations and residency (points 11 to 13): a published DPA, a maintained sub-processor list, and UK or EU data residency on request.
Two honest caveats. None of this makes you compliant on its own: the controller obligations, the DPIA decision and staff training (point 14) stay with you. And the audit-log immutability and residency options should be confirmed for your specific plan during the demo rather than assumed.
What getting this wrong actually costs
UK GDPR fines run on two tiers. The standard maximum, which covers breach-notification, processor and records failures (Articles 28 to 34), is up to £8.7 million or 2% of worldwide annual turnover, whichever is higher. The higher maximum, which covers the core principles and data subject rights (Articles 5 and 12 to 22), is up to £17.5 million or 4% of worldwide annual turnover, whichever is higher. Most recruitment failings, a missed subject access deadline, an unlawful basis, keeping CVs forever, sit in the higher tier. In practice the ICO rarely fines an SMB the headline figure for a first recruitment slip; the more common and more damaging outcome is an enforcement notice, a public reprimand and the cost of remediating in a hurry. The point of the checklist is to make that conversation unnecessary.
How to run this audit in an afternoon
You do not need a consultant for the first pass. A workable sequence:
- Pull your record of processing (ROPA). If you cannot produce an Article 30 record for recruitment, start there: it forces you to list purposes, lawful bases, retention and recipients in one place.
- Test the candidate rights on a dummy record. Raise a fake subject access request and an erasure request against a test candidate and time how long export and deletion actually take in your ATS. This is where most tools quietly fail.
- Check the paper trail with the vendor. Confirm you hold a signed DPA, can see the current sub-processor list, and know which region the data sits in.
- Screen your screening. If any automated tool ranks or filters candidates, confirm a DPIA exists and that the four Article 22A safeguards are live in the candidate experience, not just in a policy document.
- Close the gaps and date them. Record what you found and when you fixed it. A dated remediation log is itself strong evidence of accountability under Article 5(2).
Common ICO audit findings
From ICO enforcement patterns and recruitment-sector reviews, the same handful of gaps recur:
- No documented retention period for application data, so CVs accumulate indefinitely.
- Subject access requests handled manually and missing the one-month deadline.
- Consent leaned on as the lawful basis where it cannot be freely given, instead of legitimate interests.
- No DPIA for AI or automated tools used in shortlisting.
- A DPA not signed with the ATS vendor, or signed once and not retained.
- Sub-processor changes not communicated to the controller, breaking the Article 30 record.
- Diversity-monitoring data visible to hiring managers because it was never separated from the assessment.
Frequently asked questions
What's the most important factor when choosing UK-GDPR ATS compliance in the UK?
Match to the top three UK-specific operational needs: UK-GDPR compliance, Right-to-Work workflow integration and your sector's regulatory checks (DBS for child-facing roles, NMC/GMC for clinical, IR35 for contractor-heavy hiring). Generic global ATS platforms often miss one of these and force manual workarounds.
Should I prefer a UK-built or US-built platform?
UK-built platforms typically have better default UK compliance (RTW, IR35, KCSIE) but smaller integration ecosystems. US-built platforms have more integrations but often need manual GDPR configuration. Treegarden is EMEA-built with native UK + EU + NA coverage and balanced ecosystem.
Is there a UK-specific ICO requirement when choosing ATS software?
The ICO does not certify ATS platforms specifically, but under UK-GDPR Article 30 you must record processing activities and have a Data Processing Agreement (DPA) with any third-party processor. Pick a vendor that publishes their DPA, supports UK data residency on request, and has documented breach notification within 72 hours.
How long does evaluation typically take in the UK?
2-4 weeks for SMB platforms is standard. Watch out for vendors that gate everything behind a sales call: it can extend evaluation to 6-8 weeks unnecessarily. Vendors with public pricing and a self-guided sandbox typically halve evaluation time.
What about Brexit implications for UK ATS data?
EU-to-UK data transfer relies on the UK adequacy decisions, which the European Commission renewed on 19 December 2025 and which now run to 27 December 2031, taking the Data (Use and Access) Act 2025 into account. For UK companies handling candidate data of EU residents you must continue to comply with EU-GDPR; the UK regime is treated as essentially equivalent. Because the renewal carries a sunset clause and a four-year review, pick a vendor that supports both UK and EU data residency.
See Treegarden in 25 minutes
UK demo with our team. Public GBP pricing, no setup fee, ATS plus HR module, Edera AI for ethical screening, UK-GDPR + Right-to-Work + IR35 built in. Live in 1-3 working days.
Related on Treegarden
Sources
- Data Protection Act 2018, legislation.gov.uk (the UK GDPR framework)
- Data (Use and Access) Act 2025, section 80 (automated decision-making), legislation.gov.uk
- Travers Smith: UK data protection reforms take effect, the new ADM rules and 5 February 2026 commencement
- ICO: Employment practices and data protection, recruitment and selection
- ICO: Personal data breaches, the 72-hour notification rule
- ICO: Time limits for responding to data protection rights requests (one calendar month)
- ICO: The maximum amount of a fine under UK GDPR and DPA 2018
- Hunton: European Commission renews UK data adequacy decisions (19 December 2025, valid to 27 December 2031)
- CIPD Resourcing and Talent Planning Report 2024