Coming from Workday Recruiting? See the 12-step escape guide → Read it
Stage 2 · 17 min read read · Last reviewed 2026-05-23

How to Configure Your ATS for Both GDPR and OFCCP Compliance: A Checklist for Compliance Officers

How to Configure Your ATS for Both GDPR and OFCCP Compliance: A Checklist for Compliance Officers

A practical guide to automating consent, retention schedules, and audit trails in your applicant tracking system. With vendor verification rules to avoid legal risk.

Maxime Yao, research editor · Published 2026-05-23

1. The Compliance Trap: GDPR Erasure vs. OFCCP Retention

GDPR can fine you 4% of global annual revenue or €20 million. OFCCP requires federal contractors to keep job slate records for recordkeeping. One says delete on request. The other says keep for up to two years. Most ATS configurations handle one regulation but not both. That gap is legal exposure.

TL;DR Your ATS settings, not your vendor’s marketing, determine whether you avoid GDPR fines and OFCCP penalties. Configure for both or accept one of the risks.

The DUAL-COMPLIANCE ATS CONFIGURATION FRAMEWORK starts by reconciling three specific settings:

Data retention schedules: Configure automated deletion rules that retain candidate records for the OFCCP-required duration but trigger erasure on valid GDPR requests. Use anonymization as a middle ground for analytics.

Consent management: Collect explicit, granular consent for each processing purpose. Documэкnt the consent record, allow withdrawal, and map it to the candidate’s profile for audit trails.

Audit trails and DPAs: Maintain immutable logs of all data access, sharing, and deletion. Ensure your ATS vendor provides a signed Data Processing Agreement (DPA) that clarifies liability and data subject rights. Don’t rely on feature checklists.

A compliance officer at a large U.S. Federal contractor needs to avoid losing federal contracts; an HR manager at an EU multinational needs to avoid the €20 million GDPR fine. Both vulnerabilities stem from the same ATS configuration gap.

Vendors like iCIMS, Greenhouse, and Lever claim dual compliance. That claim is meaningless if your retention schedules, consent flows, and audit logs aren’t set to match both mandates.

Action this week: Identify which regulation your current ATS settings currently address. If you only deleted records on erasure requests, you lost OFCCP proof. If you retained everything indefinitely, you exposed yourself to GDPR.

Alt: Before-after comparison of a single-compliance ATS configuration (only one regulation) versus a dual-compliance configuration that adds retention schedules, consent checkboxes, and an audit log toggle.

+-------------------+ +-------------------------+
| BEFORE: | --> | AFTER: |
| Single-compliance | | Dual-compliance ATS |
| ATS | | + retention schedules |
| (e.g., only GDPR) | | + consent checkboxes |
| | | + audit log toggle |
+-------------------+ +-------------------------+
flowchart LR
 A["BEFORE: Single-compliance ATS\ne.g., only one regulation"] -->|"Adds retention schedules,\nconsent checkboxes, audit log"| B["AFTER: Dual-compliance ATS\nGDPR + OFCCP configured"]

2. GDPR Requirements: What Your ATS Must Do for Candidate Data

Given the tension between erasure and retention, what does GDPR actually demand from your ATS? Six principles from Article 5 govern every candidate data point: lawfulness, transparency, purpose limitation, data minimisation, storage limitation, and integrity/confidentiality. Each maps to a tangible feature your ATS must support.

Your ATS is the system that processes candidate data on your behalf. Under GDPR, you are the controller; the vendor is the processor. That relationship requires a Data Processing Agreement (DPA) that specifies liability and data handling. Many vendors claim GDPR compliance but shift all risk back to you through one-sided DPAs. The features are what make the law real.

GDPR Principle (Art. 5)What It Means for RecruitmentRequired ATS Feature
Lawfulness, fairness, transparency (Art. 5(1)(a))Candidates must know who processes their data, why, and for how long.Consent collection with clear language at application point.
Purpose limitation (Art. 5(1)(b))Data collected for hiring cannot be reused for marketing without new consent.Separate consent toggles for screening, pipelining, and feedback.
Data minimisation (Art. 5(1)(c))Collect only what is necessary for the role.Configurable application fields per job type.
Storage limitation (Art. 5(1)(e))Delete data when no longer needed.Automated retention schedules with configurable time windows.
Integrity and confidentiality (Art. 5(1)(f))Protect against unauthorised access or breach.Role-based access controls, audit logs, encryption at rest and in transit.

Beyond these baseline features, Article 35 mandates a Data Protection Impact Assessment (DPIA) for processing that is likely high-risk. Large-scale recruitment data processing qualifies. If your ATS vendor cannot provide a standard DPIA template or refuses to support the assessment, you are exposed.

A DPIA is not optional. If your ATS vendor doesn’t support one, you are exposed.

Vendors like Avature explicitly offer GDPR and data residency controls. That is the level of depth required. For an HR manager at an EU multinational, or an enterprise HRIT director managing cross-border data flows, the checklist is non-negotiable: consent portal, retention automation, audit trails, and DPIA support.

Action this week: 1. Open your ATS settings and confirm a candidate self-service portal exists for erasure requests. 2. Pull your current retention schedule and verify it matches GDPR’s storage limitation principle. 3. Request your vendor’s standard DPIA template. If they cannot provide one within 48 hours, escalate to legal.

3. OFCCP Requirements: What Federal Contractors Must Retain

OFCCP requires federal contractors to retain job slate records for approximately two years after each hiring action (41 CFR 60-1.12). GDPR demands deletion within that same window. The tension is not theoretical. It appears in every cross-border recruitment pipeline.

For the worked example. A mid-size EU-based federal contractor using iCIMS to recruit for a U.S. Government project. The compliance officer must configure the ATS to support both mandates without breaking either one.

The ATS must capture three specific data categories:

  1. Job slate records. Every applicant who applied for a federal contract role, including name, contact details, application date, and disposition (hired, rejected, withdrawn). Retained for two years after the hiring decision.

  2. EEO reporting data. Race, ethnicity, gender, and veteran status. Collected voluntarily and stored separately from the hiring decision to avoid bias, but retained for audit purposes.

  3. Audit trail logs. Who viewed each record, when, and why. Must be immutable and exportable for OFCCP inspections.

Enterprise ATS platforms like iCIMS, Greenhouse, and Lever claim OFCCP compliance out of the box 1. But compliance is a configuration, not a setting. The GDPR right to erasure must be overridden for these specific data points, while still executing deletions on non-federal-contract candidates.

The reframe: OFCCP compliance is about structured data. Job slate records, EEO reports, and audit trails. It does not require storing full resume PDFs or interview notes beyond the two-year window. Configure your ATS to retain only what the regulation demands. Delete or anonymize everything else.

Greenhouse offers AI-driven bias detection that also supports OFCCP’s equal opportunity mandates. For organizations needing full data control, Oracle and SAP provide on-premise deployment options. 46.2% of the ATS market still runs on-premise, concentrated in regulated industries 2.

Memory line: OFCCP wants records. GDPR wants deletion. Your ATS must do both. On the same candidate, at the same time.

Action this week: Open your ATS admin panel. Check if it can generate EEO-1 reports and apply separate retention policies by job requisition. If not, schedule a config change with your vendor before the next federal contract submission.

4. The Dual-Compliance ATS Feature Checklist

Most ATS compliance checklists are vendor marketing dressed as guidance. This one is built from regulatory requirements, not product brochures. The six features below are non-negotiable for any organization that must satisfy both GDPR and OFCCP.

Six features. One checklist. No guesswork.

FeatureGDPR RequirementOFCCP RequirementVendor Example
Automated data deletionStorage limitation (Art. 5(1)(e)); right to erasure (Art. 17)Must retain job slate data for two years after hiring action (41 CFR 60-1.12)iCIMS, Greenhouse
Consent managementLawful basis for processing (Art. 6); explicit consent for sensitive dataNot directly required, but EEO self-identification needs clear opt-inLever, Phenom
Audit logsDemonstrate compliance (Art. 5(2)); accountability principleRequired for OFCCP audits: track every action on applicant dataAvature, iCIMS
Data Processing Agreement (DPA)Mandatory for any third-party processor (Art. 28)Implicitly required if vendor stores federal contractor dataiCIMS, Workday
Role-based access controlNeed-to-know basis (Art. 5(1)(c)); data minimisationPrevents unauthorized access to protected applicant dataGreenhouse, Lever
Candidate self-service portalRight of access (Art. 15); right to rectification (Art. 16)Not mandated, but supports EEO data collection transparencyAvature, Phenom

For our worked example. A mid-size EU-based federal contractor using iCIMS to recruit for a U.S. Government project. The checklist maps directly. ICIMS offers OFCCP, EEO, GDPR, and SOC 2 compliance. The contractor must configure automated data deletion to respect GDPR erasure requests while retaining OFCCP-required job slate data. ICIMS’s audit logs and role-based access controls satisfy both regulators. The vendor’s DPA must be signed and stored.

The Enterprise HRIT director needs global compliance coverage across jurisdictions. Workday Recruiting provides built-in support for multiple regulatory frameworks, including GDPR and OFCCP. The SME owner in a regulated industry, by contrast, should verify that even a cost-effective ATS like SmartRecruiters includes consent management and audit trails. Avature’s deep GDPR and data residency expertise makes it a strong choice for EU-heavy operations.

If your ATS lacks any of these six features, you have a compliance gap.

Run this checklist against your current ATS configuration before your next recruitment cycle. Map each feature to your vendor’s documentation. If a feature is missing, escalate to your legal team and demand a remediation timeline.

5. How to Verify Vendor Compliance Claims (Don’t Trust the Marketing)

Every ATS vendor in this market slaps “GDPR compliant” on their website. The claim costs nothing to print. The liability still sits with you.

The DPA is the only document that transfers responsibility. A Data Processing Agreement is a legally binding contract between you (the controller) and the vendor (the processor). It specifies exactly how candidate data is handled, who is liable for breaches, and how data subject rights are upheld. Without a signed DPA, vendor marketing is noise.

Here is how to verify claims with documents, not brochures:

  1. Request the SOC 2 Type II report. iCIMS and Phenom both claim SOC 2 compliance. A Type II report covers controls over at least six months. Ask for the full report, not the summary letter. If the vendor hesitates, that is a red flag.

  2. Demand a signed DPA before procurement. This is non-negotiable for any EU-based contractor processing candidate data. The DPA must specify data retention periods, erasure procedures, and breach notification timelines. Avature offers GDPR and data residency compliance explicitly. Their DPA should reflect that.

  3. Run a demo with a test candidate. Create a fake applicant. Fill out a consent form. Then request erasure under GDPR Article 17. Watch what happens. Does the system delete the record within 30 days? Does it retain metadata for OFCCP audit purposes? The demo reveals what the certification document hides.

  4. Check data residency commitments. For the worked example. An EU contractor using iCIMS for U.S. Government recruiting. Confirm where candidate data is stored. Avature and Phenom both offer data residency controls. If the vendor stores EU candidate data on U.S. Servers without Standard Contractual Clauses, you have a GDPR violation before the first hire.

Enterprise HRIT directors at regulated firms often rely on vendor reputation. SAP, Oracle. As a shortcut. That works for procurement risk, not compliance liability. A signed DPA from a smaller vendor beats a handshake from a household name.

Action this week: Email your ATS vendor’s legal team. Request the SOC 2 Type II report and a draft DPA. If they cannot produce both within five business days, escalate to your procurement team before the next recruitment cycle.

6. The Anonymization Workaround: Resolving the Erasure vs. Retention Conflict

GDPR says delete on request. OFCCP says keep job slate data for two years. These two mandates collide daily inside your ATS. The legal conflict is real, but the technical solution is simpler than most compliance officers assume.

Anonymization is the bridge. Strip personal identifiers from job slate records after the OFCCP retention period expires, but keep the depersonalized data for analytics and audit trails. Under GDPR, anonymized data is no longer personal data. The storage limitation principle (Article 5) no longer applies. The OFCCP recordkeeping requirement (41 CFR 60-1.12) is satisfied because the original personal data was retained for the mandated period. After that, you keep a useful but non-identifiable record.

For the worked example. A mid-size EU-based federal contractor using iCIMS to recruit for a U.S. Government project. This means configuring iCIMS to automatically run a scheduled job: after 730 days, strip name, email, phone, address, and CV content from each candidate record. The remaining fields (job code, source, disposition, timestamps) stay for EEO reporting and audit logs. No GDPR conflict remains. No OFCCP violation occurs.

On-premise ATS options like Oracle and SAP allow custom anonymization workflows with full data control. Cloud ATS platforms like iCIMS offer similar automation, but you must verify the configuration in a DPA.

How can I keep job slate data for OFCCP audits while respecting GDPR’s right to erasure?

Anonymize the record. Strip personal identifiers after the retention period, then keep the depersonalized data for analytics and audits. Anonymized data falls outside GDPR’s scope.

This is not a legal loophole. It is a straightforward technical configuration that respects both regulations. Configure your ATS to automatically anonymize candidate records after the OFCCP retention period expires.

Anonymization turns a legal conflict into a technical configuration.

7. Limits and Objections: Why This Framework Isn’t Foolproof

Three failure modes break the model.

  1. Insufficient DPA. Your vendor’s Data Processing Agreement may be expired or lack liability for cross-border transfers. For a mid-size EU federal contractor using iCIMS, the DPA must be verified annually. GDPR fines can reach 4% of global annual revenue.

  2. Automated deletion vs. OFCCP retention. Aggressive retention schedules can purge job slate data before the two-year OFCCP window closes. Calibrate carefully.

  3. Anonymization misconfiguration. Irreversible anonymization is required. A startup founder or SME owner in a regulated industry may assume “anonymized” means compliant. It does not.

Two counter-arguments weaken the urgency. GDPR compliance is standard in modern ATS platforms; the real risk is user misconfiguration. And OFCCP only applies to federal contractors, but state EEO laws may still impose recordkeeping duties. The framework is a starting point, not a finish line.

Action this week: Schedule a quarterly compliance review of your ATS configuration with your legal team.

8. FAQ: Common Questions About GDPR and OFCCP Compliance in ATS

Does GDPR apply to U.S. Federal contractors?

Yes, if you process personal data of EU residents. Even for a U.S. Government project. GDPR has extraterritorial reach (Article 3). Our worked example project faces both regimes simultaneously.

How long must I keep job slate data under OFCCP?

Common practice and regulatory interpretation suggest up to two years after a hiring action (41 CFR 60-1.12). Hedge: consult your legal team. The duration can vary by contract type and audit cycle.

Can I use a cloud ATS for both GDPR and OFCCP compliance?

Yes, with vendor certifications (SOC 2 Type II, ISO 27001) and a signed Data Processing Agreement. Cloud ATS vendors like iCIMS, Greenhouse, and Lever claim dual compliance. Verify in the DPA, not marketing copy.

What is a DPIA and do I need one for my ATS?

A Data Protection Impact Assessment (DPIA) is mandatory under GDPR Article 35 for processing likely to result in high risks to individuals. Applicant tracking qualifies. Run one before configuring consent flows or cross-border data transfers.

What happens if I fail an OFCCP audit due to ATS misconfiguration?

Potential loss of federal contracts and debarment from future bidding. Unlike GDPR’s 4% of global revenue fine, OFCCP penalties target business eligibility, not just cash. Structured audit trails from your ATS are your primary defense.

9. Closing: Compliance Is an Ongoing Process, Not a One-Time Setup

You configured the retention schedules. You signed the DPA. You think you are done.

You are not.

Regulations evolve. Vendors push updates that reset defaults. Your recruitment team may bypass consent flows under hiring pressure. The mid-size EU-based federal contractor using iCIMS to recruit for a U.S. Government project cannot afford a single audit cycle where the ATS falls out of alignment. That cycle could trigger fines of up to €20 million or 4% of global annual revenue (GDPR) and loss of federal contracts (OFCCP). Regulators are not impressed by last year’s configuration.

One audit cycle. One fine. Both avoidable with a quarterly ATS review.

Take three actions this week:

  1. Schedule a quarterly compliance audit of your iCIMS (or equivalent) configuration. Retention rules, consent logs, DPA expiry dates.

  2. Assign one person to monitor regulatory updates (GDPR guidelines, OFCCP changes) and vendor security notices.

  3. Run a test erasure and a test audit export every quarter. If the data survives erasure, you fail GDPR. If it disappears before two years, you fail OFCCP.

Compliance is an operational process, not a checkbox. Use the checklist from this article as your starting point, then schedule the first audit before your next recruitment cycle.


About the Author

This article was researched and written by the editorial team at [Publication Name], synthesizing regulatory guidance, vendor documentation, and industry reports cited throughout. No personal testing of ATS platforms was conducted; all feature claims are based on published vendor materials and market analysis as of June 2025.

Sources


Footnotes

  1. Darwinbox. https://darwinbox.com/blog/best-applicant-tracking-systems-enterprise. (2023)

  2. IMARC Group. https://www.imarcgroup.com/applicant-tracking-system-market. (2023)

Go Deeper