This guide covers UK-GDPR compliance for ATS platforms for UK SMBs. We focus on what UK buyers under 200 employees actually need: transparent pricing in GBP, UK-specific compliance (UK-GDPR, Right-to-Work, IR35, sector-specific checks), and integration with UK job boards.

Pricing references reflect mid-2026 list prices and should be confirmed at vendor sign-up. Where we mention Treegarden's plans, our public price page in GBP starts at £49/month with no setup fee. Where we mention competitors, we reference public pricing where available and direct you to their pricing page otherwise.

The 14-point compliance audit

  1. Consent capture at application. Plain-language consent for processing CV, contact details, retention beyond the role.
  2. Lawful basis recorded per data category. Application data: consent + contract. Reference checks: legitimate interest. Right-to-Work: legal obligation.
  3. Retention period documented and enforced. Default 12 months for unsuccessful applicants; longer requires re-consent.
  4. Right of access (Article 15). Subject access response within 30 days. ATS should support 1-click candidate data export.
  5. Right to erasure (Article 17). Honour deletion requests; legal hold suspends where lawful.
  6. Right to rectification (Article 16). Candidates can correct their own data via portal.
  7. Data minimisation. Don't collect data you don't need. Drop optional 'date of birth' from application.
  8. Audit log. Every view, edit, share, export logged with user, timestamp, IP.
  9. Breach notification (Article 33). ICO within 72 hours; affected candidates 'without undue delay'.
  10. DPIA for AI screening. Required when using automated decision-making (Article 35).
  11. Data Processing Agreement signed. ATS vendor as processor; you as controller.
  12. Sub-processor list maintained. Vendor publishes list of their sub-processors.
  13. Data residency understood. UK or EU; not US-default unless explicit transfer mechanism.
  14. Staff training. Anyone with ATS access knows their UK-GDPR obligations.

How Treegarden handles each point

Treegarden ships UK-GDPR compliant by default: consent capture template configured for UK on the application form, automated retention timer (default 12 months for unsuccessful), 1-click subject access export, audit log on every record action, EU + UK data residency on request, published DPA with quarterly sub-processor list, breach notification process documented. AI-screening (Edera AI) DPIA template provided for download in the admin console.

Common ICO audit findings

  • No documented retention period for application data
  • Subject access requests handled manually, missing 30-day deadline
  • Unclear lawful basis for keeping rejected candidates' CVs
  • No DPIA for any AI used in screening
  • DPA not signed with ATS vendor (or signed but not retained)
  • Sub-processor changes not communicated to data controllers

Frequently asked questions

What's the most important factor when choosing UK-GDPR ATS compliance in the UK?

Match to the top three UK-specific operational needs: UK-GDPR compliance, Right-to-Work workflow integration and your sector's regulatory checks (DBS for child-facing roles, NMC/GMC for clinical, IR35 for contractor-heavy hiring). Generic global ATS platforms often miss one of these and force manual workarounds.

Should I prefer a UK-built or US-built platform?

UK-built platforms typically have better default UK compliance (RTW, IR35, KCSIE) but smaller integration ecosystems. US-built platforms have more integrations but often need manual GDPR configuration. Treegarden is EMEA-built with native UK + EU + NA coverage and balanced ecosystem.

Is there a UK-specific ICO requirement when choosing ATS software?

The ICO does not certify ATS platforms specifically, but under UK-GDPR Article 30 you must record processing activities and have a Data Processing Agreement (DPA) with any third-party processor. Pick a vendor that publishes their DPA, supports UK data residency on request, and has documented breach notification within 72 hours.

How long does evaluation typically take in the UK?

2-4 weeks for SMB platforms is standard. Watch out for vendors that gate everything behind a sales call: it can extend evaluation to 6-8 weeks unnecessarily. Vendors with public pricing and a free trial typically halve evaluation time.

What about Brexit implications for UK ATS data?

EU-to-UK data transfer relies on the UK adequacy decision (currently extended to 2027). For UK companies handling candidate data of EU residents, you must continue to comply with EU-GDPR; UK-GDPR is materially equivalent. Pick a vendor that supports both data residency regions.

See Treegarden in 25 minutes

UK demo with our team. Public GBP pricing, no setup fee, ATS plus HR module, Edera AI for ethical screening, UK-GDPR + Right-to-Work + IR35 built in. Live in 1-3 working days.

Book a UK demo

Related on Treegarden

Sources

  1. UK GDPR (Data Protection Act 2018) (2018)
  2. UK ICO Data Protection (2025)
  3. CIPD People Profession Survey (2025)