TL;DR: UK SMEs evaluating an applicant tracking system need to prioritise GDPR-compliant candidate data handling, right-to-work check automation, and equality monitoring alongside standard recruitment workflow features.
Last reviewed: 12 May 2026
Why UK SMEs Need an ATS Built Around UK Compliance
Recruiting in the United Kingdom carries a compliance burden that generic, US-built applicant tracking systems frequently underestimate. The UK GDPR, administered by the Information Commissioner's Office (ICO), treats candidate personal data with the same rigour as employee data. The Equality Act 2010 requires employers to monitor protected characteristics without using that data in selection decisions. Right-to-work checks under the Immigration Act 2014, as amended by the Nationality and Borders Act 2022, impose specific document and digital verification requirements. An ATS that does not accommodate these obligations creates legal exposure from day one of a recruitment campaign.
UK SMEs often lack in-house legal teams to patch compliance gaps left by a vendor. Choosing an ATS with UK-specific features baked in is therefore a cost-avoidance decision as much as a productivity one. The CIPD's Recruitment and Selection Guide explicitly recommends that organisations document every stage of the recruitment process to defend against discrimination claims, which requires an ATS capable of generating audit trails against each vacancy and candidate record.
GDPR and ICO Rules for Candidate Data
Candidate data is personal data under the UK GDPR. This creates five obligations that an ATS must be able to enforce without manual workarounds.
First, the lawful basis for processing must be established before collecting any data. Most ATS implementations rely on legitimate interests or, where the candidate actively applies, the performance of pre-contractual steps. The ICO's Legitimate Interests Guidance makes clear that a legitimate interests assessment (LIA) is required and must be documented. A compliant ATS should either host this record or integrate with a governance tool that does.
Second, retention periods must be enforced automatically. The ICO's guidance on recruitment data notes that retaining unsuccessful candidate CVs beyond six months without explicit consent is high-risk. A compliant ATS will have configurable retention rules that trigger anonymisation or deletion at a defined point post-rejection, with an audit log of the action taken.
Third, where consent is sought for speculative future roles, the ICO requires that consent be freely given, specific, informed, and unambiguous. Pre-ticked boxes or bundled consent clauses buried in application forms do not meet this standard. An ATS should generate a compliant consent request as a separate, documented step.
Fourth, subject access requests (SARs) from candidates must be fulfilled within one month. An ATS that cannot produce a complete export of all data held against a named individual creates a compliance bottleneck.
Fifth, data minimisation applies to application forms. Collecting date of birth, photograph, or marital status at application stage is rarely justifiable and increases discrimination risk. The ATS should allow form configuration that strips these fields by default.
Right-to-Work Check Workflows
Since April 2022, UK employers have been able to use certified Identity Document Validation Technology (IDVT) providers to conduct digital right-to-work checks for British and Irish citizens holding a valid passport or Irish passport card. The Home Office Right to Work Checks Employer's Guide sets out which document types are acceptable and what the employer must retain.
An ATS that integrates directly with a certified IDVT provider, or that at minimum generates a structured checklist and stores a timestamped record of the check against the candidate record, reduces the risk of a civil penalty of up to £60,000 per illegal worker (as of 2024 rates; verify current penalties at gov.uk before relying on this figure). The ATS should also flag visa expiry dates for candidates on time-limited leave to remain and generate a reminder workflow for repeat right-to-work checks before expiry.
For overseas candidates requiring a Certificate of Sponsorship, the ATS should capture the vacancy's Standard Occupational Classification (SOC) code and Shortage Occupation List status, both of which affect the Skilled Worker route salary threshold.
Advertisement
Equality Monitoring and the Equality Act 2010
The Equality and Human Rights Commission advises employers to monitor recruitment outcomes by protected characteristic in order to detect patterns of indirect discrimination. However, the data used for monitoring must be firewalled from the selection decision itself. An ATS should collect equality monitoring data on a separate, anonymous form that is not accessible to hiring managers reviewing applications.
The ATS reporting module should be able to produce a diversity funnel report showing drop-off rates at each stage (applied, shortlisted, interviewed, offered) broken down by protected characteristic. Where the funnel shows a statistically significant disparity, this is a trigger for an equal pay audit or process review under EHRC guidance. For businesses with 250 or more employees, gender pay gap reporting under the Equality Act 2010 (Gender Pay Gap Information) Regulations 2017 requires payroll-linked data; an ATS that integrates with payroll software (see Best Payroll Software UK) can automate the headcount and quartile calculations.
Key Evaluation Criteria: Workflow, Integration, and Pricing
Beyond compliance, UK SMEs should evaluate an ATS against five operational criteria.
Workflow configurability: A growing SME needs to handle both volume hiring (retail, hospitality) and specialist hiring (finance, engineering) within the same system. The ATS should support multi-stage pipelines with conditional triggers, such as automatically sending a technical assessment link when a candidate passes telephone screening.
Payroll integration: At offer stage, the ATS should push accepted candidate data directly to the payroll system to create a starter record, eliminating manual rekeying. This is especially important for businesses using HMRC's RTI submission framework, where a P45 or starter checklist must be processed accurately on or before the first payment date.
Job board distribution: UK SMEs rely heavily on Indeed, Reed, Totaljobs, and CV-Library. An ATS that distributes to these boards from a single vacancy record, and that de-duplicates applications from multiple sources against the same candidate profile, saves significant administrative time.
Interview scheduling: Calendar sync with Microsoft 365 or Google Workspace avoids the email-and-reply-all friction that causes candidates to drop out. Automated reminder emails reduce no-show rates, which the CIPD estimates cost UK employers an average of one hour of recruiter time per missed slot.
Pricing structure: Most UK ATS vendors price per active vacancy, per recruiter seat, or per hire. For SMEs with seasonal hiring spikes, a per-vacancy or per-hire model is preferable to a flat monthly seat fee that becomes expensive during quiet periods.
ATS Pricing Models in the UK Market
ATS pricing in the UK market ranges from free tiers (typically capped at a small number of active job postings or users) to per-seat enterprise contracts that include implementation, dedicated support, and custom integrations. For a UK SME hiring 20-100 people per year, the relevant pricing models are:
| Model | Typical cost (2026) | Suitable for |
|---|---|---|
| Free tier | £0 | Under 5 active roles; limited GDPR controls |
| Per-job posting | £20-£80/role/month | Seasonal or low-volume hiring |
| Per-user (recruiter seats) | £50-£200/seat/month | In-house HR teams with 2-10 recruiters |
| Annual licence (all-in) | £3,000-£15,000/yr | 50-500 employee businesses with consistent hiring |
Beyond the base price, evaluate: onboarding and implementation fees (often £500 to £2,000 for SME tiers), data migration costs if moving from a legacy system, and whether GDPR compliance features (automated purge, consent management, DSAR export) are included in the standard tier or gated behind an enterprise plan.
ICO Certification and Data Processor Agreements
An ATS vendor processes personal data on behalf of the employer, making the employer the data controller and the vendor the data processor under UK GDPR Article 28. This requires a written Data Processing Agreement (DPA) that specifies the subject matter, duration, nature, and purpose of the processing. Reputable ATS vendors will have a standard DPA available; verify that it covers sub-processors (particularly cloud hosting providers) and that sub-processors are based in adequate third countries or covered by appropriate transfer mechanisms.
Where an ATS vendor is ISO 27001 certified or holds Cyber Essentials Plus, this provides some assurance of information security controls, though it does not substitute for reviewing the DPA and the vendor's data residency commitments. UK public sector employers and those handling NHS or government contracts should confirm that candidate data is processed within the UK or EEA.
ATS Selection Checklist for UK SMEs
Before issuing an RFP or starting a free trial, SMEs benefit from scoring vendors against a structured set of UK-specific criteria. The following are the highest-weight factors based on CIPD guidance and ICO compliance requirements:
- Configurable candidate data retention and auto-deletion workflows.
- Disaggregated consent collection for diversity monitoring data.
- Right-to-work check integration with a Home Office-certified IDVT provider.
- Anonymised shortlisting mode to support blind CV review.
- Two-way integration with the employer's payroll or HRIS platform.
- UK-hosted or UK/EEA data residency option to simplify UK GDPR compliance.
- Subject access request export function that covers all candidate data fields.
Editorial Disclaimer
This guide is informational only and does not constitute regulated financial, legal, or tax advice. Software requirements change as regulations evolve; verify current obligations directly with the named regulator before making procurement or compliance decisions.
Frequently Asked Questions
How long can a UK employer keep unsuccessful candidate CVs?
The ICO's position is that retaining unsuccessful candidate CVs beyond six months without fresh, specific consent from the candidate is high-risk under UK GDPR. An ATS should be configured to trigger anonymisation or deletion at the six-month mark automatically. If the employer wishes to retain data for future roles, a separate and compliant consent workflow is required, and candidates must be able to withdraw consent at any time.
Is a Data Processing Agreement mandatory when using an ATS?
Yes. Under UK GDPR Article 28, any vendor processing personal data on your behalf must be governed by a written contract that sets out the scope, nature, and purpose of the processing. An ATS vendor that cannot provide a compliant DPA should not be used to process candidate data regardless of its other features.
Can an ATS conduct right-to-work checks directly?
An ATS can integrate with a certified Identity Document Validation Technology (IDVT) provider to conduct digital right-to-work checks for British and Irish citizens. The ATS itself is not the IDVT; it is the workflow layer. The Home Office maintains a list of certified IDVT providers at gov.uk. For non-UK/Irish candidates, manual document checks remain required in most cases.
What equality monitoring data should an ATS collect?
The EHRC recommends collecting data on the nine protected characteristics under the Equality Act 2010: age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, and sexual orientation. This data should be collected via a separate anonymous form, stored separately from the application record, and accessible only to those responsible for diversity reporting, not to hiring managers.
Does an ATS need to integrate with payroll software?
Integration is not a legal requirement but is strongly advisable. When a candidate accepts an offer, their personal data, salary, start date, and tax code information need to reach the payroll system before their first payment date for RTI purposes. Manual transfer introduces rekeying errors and delays. An ATS with a direct API connection to payroll software eliminates this friction and reduces the risk of a late or incorrect RTI submission to HMRC.
Frequently asked questions
How long can a UK employer keep unsuccessful candidate CVs in an ATS?
The ICO's position is that retaining unsuccessful candidate CVs beyond six months without fresh specific consent is high-risk under UK GDPR. An ATS should be configured to trigger anonymisation or deletion at the six-month mark automatically. If retaining data for future roles, a separate compliant consent workflow is required and candidates must be able to withdraw consent at any time. Documented retention rules form part of an Article 30 record of processing. ICO employment practices guidance is at ico.org.uk.
Is a Data Processing Agreement mandatory when using an ATS?
Yes. Under UK GDPR Article 28, any vendor processing personal data on the employer's behalf must be governed by a written contract setting out scope, nature, and purpose of processing. An ATS vendor that cannot provide a compliant DPA should not be used to process candidate data regardless of other features. The DPA must cover sub-processors (typically cloud hosting providers) and the controls applied to international transfers where data leaves the UK or EEA. ICO publishes a model DPA.
Can an ATS conduct right-to-work checks directly?
An ATS can integrate with a Home Office certified Identity Document Validation Technology provider to conduct digital right-to-work checks for British and Irish citizens with valid passports. The ATS is the workflow layer, not the IDVT. The Home Office certified provider list is at gov.uk. For non-UK and non-Irish candidates, share code verification through gov.uk online checking is the standard route. Records must be retained for two years after employment ends.
What equality monitoring data should an ATS collect?
The EHRC recommends collecting data on the nine protected characteristics under the Equality Act 2010: age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, and sexual orientation. This data must be collected via a separate anonymous form, stored separately from the application record, and accessible only to those responsible for diversity reporting, not to hiring managers. EHRC guidance is at equalityhumanrights.com.
Does an ATS need to integrate with payroll software?
Integration is not a legal requirement but is strongly advisable. When a candidate accepts an offer, their personal data, salary, start date, and tax code information must reach the payroll system before their first payment date for Real Time Information purposes. Manual transfer introduces rekeying errors and risks late or incorrect RTI submissions to HMRC. An ATS with direct API connection to payroll software eliminates this friction and supports a clean audit trail at hire.
How we verified this guide
Drafted using primary-source UK regulatory data from the ICO's UK GDPR guidance on recruitment data, the CIPD's Recruitment and Selection Guide, the Home Office Right to Work Checks Employer's Guide, and the Equality and Human Rights Commission's employer guidance on the Equality Act 2010. Reviewed 12 May 2026. Editorial position consistent with other Kael Tripton coverage of UK business software compliance.
