GDPR Compliance

Disclaimer: CATS Software, Inc. is not a law firm. Any statements or information from us are the results of internal research and should not be considered legal advice. Companies should seek their own legal advice regarding GDPR compliance.


Update: The GDPR is now in effect worldwide! CATS now has the ability to track candidate consent for our users. Learn about consent tracking and the rest of our GDPR-friendly features in our Knowledge Base.


On May 25th, 2018, the EU will begin enforcing a new set of data privacy and protection laws known as the General Data Protection Regulation, or GDPR. The new legislation standardizes data protection laws pertaining to all EU citizens for companies and organizations across the globe. GDPR compliance is required by any company that handles the personal or private data of individuals belonging to the EU.


Data Storage and Disposal According to the GDPR

The primary goal of GDPR is to protect the private data of EU citizens. This is achieved by limiting the type of personal data that can be stored by organizations, as well as how long they can hold onto that data. Under the GDPR, companies, organizations, and individuals are encouraged not to process more personal data than is necessary, or store personal data for longer than is necessary to complete a specific task.

These rules (known as data minimization) were created to ensure that companies do not collect more than what is necessary to perform their intended function, keeping the impact of breach and theft to a minimum.

All private data should not be kept past the point of necessity. Though the documents do not define a specific amount time, Article 5 of the GDPR determines that data should be promptly and thoroughly deleted upon completion of the task(s) said data was collected for.

In addition, all private data about an individual, known as the data subject, must be made available to the individual upon request.

Policies stated in the GDPR are effective retroactively, meaning any currently-stored private data on EU citizens should be reviewed to ensure compliance with GDPR before it takes effect on May 25th.


What does the GDPR mean for recruiters, in particular?

There are several key points in the GDPR framework that affect recruiters.

For starters, there are now three defined roles that are directly involved in the recruiting process: the data subject, data controller, and data processor.

  • The Data Controller is the company or organization that defines the type/amount of personal data required to complete a task, as well as the task itself. A data controller may be an organization or an individual (in the recruiting industry, that means it can be an agency or independent recruiter, respectively) as it’s simply whoever makes the decision on what information to gather.

  • The Data Subject is described as anyone whose identifiable data is involved in a process. Identifiable data means much more than personal descriptors, such as names and ethnicities. IP addresses, routing numbers, mailing/residential addresses, educational backgrounds, and anything else that can used to discover more details about a person is considered identifiable data.

    In short, the data subject is primarily your candidate and/or applicant and, to a lesser extent, the recruiter(s).

  • The Data Processor is the company that processes identifiable data, typically via software (i.e. applicant tracking systems, customer relationship managers, etc.), at the instruction of the data controller. For recruiters that our applicant tracking sytem, CATS is your Data Processor. Any software that stores and processes personal data for a specific task is considered the data processor, meaning it’s possible to have multiple data processors at once.

In addition to understanding these roles, it is important that recruiters review the type of information they are collecting from EU citizens, as well as their current disposal methods for said information. With the GDPR comes an updated and broader definition of the term “personal data,” which may retroactively affect the data recruiters are currently storing.

Official definitions for the above roles and more can be found in Chapter 1, Article 4 of the GDPR legislative document.


Is CATS GDPR-compliant?

We meet all the security requirements put in place by GDPR, as well as the previous law, EU Privacy Shield. We will continue to add tools to assist our customers in processing citizen’s requests for information, helping you remain compliant as well.


CATS and the GDPR

CATS already meets the security requirements put in place by the GDPR and other current data protection frameworks, such as the EU-US Privacy Shield agreement. CATS users do not need to worry about our compliance when the GDPR takes effect in late May 2018.

Our goal as your data processor is to assist you, also known as the data controller, in remaining compliant. While CATS is not responsible for the compliance of data controllers, we are taking steps to make data compliance quick and painless with data stored on our platform, including:

  • Adding a feature that allows for EU citizens to grant or deny consent to store their data
  • Tracking and displaying records of the date consent was given by an individual
  • Adding the ability for CATS users to sort stored information by date of consent, allowing the user to easily note when records must receive renewed consent or be deleted
  • Adding the ability to filter by date of consent to know when you need to contact the record again for renewed consent
  • Making it easy to compile and send individuals’ private data upon their request
  • Providing a tutorial and guidelines that ensure proper data deletion
  • Designating a data processor compliance office, along with updating our Terms of Service (ToS)

Preparing Yourself for GDPR

Stay ahead of the curve by implementing best practices in preparation of the GDPR. Take a look at our GDPR infographic, created to help you start off compliance right.

Frequently Asked Questions

When will the GDPR take effect?

The GDPR will take effect in all EU countries, simultaneously, on May 25th, 2018.

If I’m using CATS, but not in the EU, does the GDPR apply to me?

Yes — compliance is required for any organization that processes personal and private information belonging to a EU citizen.

What about the data I’ve stored prior to the GDPR taking effect?

The GDPR is retroactively effective. Any personal data belonging to a EU citizen is subject to the GDPR, regardless of when it was obtained.

Does this extend to the UK?

Yes. Though the United Kingdom has planned to leave the EU, their exit does not occur until March 29th, 2019, with an additional “transition period” from March 29th, 2019 to December 31st, 2020, meaning UK citizens are covered under the GDPR until January 1st, 2021.

What happens if I’m not compliant?

Penalties for non-compliance may vary. The highest penalties amount to 4% of your company’s annual revenue or €20 million, whichever is greater. Other penalties may include warnings or reprimands.

What do I need to do to be compliant?

To be compliant, you must only store the data of a EU citizen for as long as their information is necessary to a specific task. This is typically no longer than 30 days after the position they applied for has been filled. Organizations must also comply with a citizen’s requests to view or delete their data.

Does this apply for sourced candidates?

Yes. Going forward, any candidates you source should also be notified within a reasonable amount of time. This is typically within 30 days. You may also want to notify any citizens you are currently storing data on that did not explicitly apply for a position.

Are the GDPR and Privacy Shield the same thing?

No, though both involve the concept of EU citizens’ personal data. Under Privacy Shield, the law mandates that EU citizens’ data must be stored on EU soil. Companies (like CATS) that are based in the US must comply with Privacy Shield security regulations in order to serve customers in the EU. This is known as the EU-US Privacy Shield Agreement. The GDPR, however, is a new set of regulations that pertain to the storage of private EU citizen information. Unlike the Privacy Shield, GDPR is mandatory to all organizations, regardless of location, that handle private information about a EU individual.


CATS is committed to data safety and compliance to data-protection regulations around the world. We will continue to update our platform as new responsibilities arise, ensuring that you always feel confident with CATS as your recruiting software.