If you have reached this page, it probably means that you have already heard of the General Data Protection Regulation, otherwise known as the GDPR. Perhaps you are wondering how this applies to your business, and what steps you can take in order to be compliant by the implementation deadline on 25th May 2018, or maybe you just want a quick overview of the masses of information available online at the moment.

If you are a recruitment business, then there is no doubt that dealing with personal data forms a large part of your daily activities, whether it is dealing with information relating to your recruitment consultants (as employees) or relating to your candidates or contractors.

The purpose of this article is therefore to give you a quick overview of the obligations that recruitment agencies have regarding candidate data, and some useful tips to make sure you are doing all you can to comply with the GDPR.

The article is split into two sections, starting with how GDPR applies to recruitment businesses. Part two covers in-depth advice on how to prepare your recruitment agency for the May 2018 deadline.

Part 1: How does GDPR apply to Recruiters

What is personal data in the recruitment industry?

“Personal data” is any information relating to an individual (also called a “data subject” in the GDPR) which allows them to be identified.

The GDPR states that personal data includes a name, an identification number, location data, an online identifier, or by factors related to an individual’s physical, physiological, genetic, psychological, economic, cultural or social identity.

In the recruitment industry the following information collected about candidates is covered by the GDPR:

  • employment history
  • contact details
  • references
  • CVs
  • ID
  • evidence of right to work
  • education & diplomas
  • pay details
  • interview notes
  • psychometric test results

In what circumstances will the GDPR apply?

The GDPR applies when personal data is processed.

“Processing” is quite a wide definition and includes collecting, saving, using, deleting or sharing personal data belonging to your employees or your candidates.

Recruiters process data on a daily basis under #GDPR #CandidateConsent Click To Tweet

When working in recruitment, this is something that you do on a daily basis. A recruitment business will typically have the following processing activities under GDPR:

  1. Recording details of new CVs in a candidate database
  2. Conducting research on candidates to meet clients’ needs
  3. Sharing CVs between sourcers and consutants
  4. Transferring a CV over to clients
  5. Copying data about candidates from social media and the internet

As a recruitment agency, what GDPR obligations do you have?

As a recruitment company, you are considered a “controller” because you collect personal data as part of your business activities. This means that are responsible for what happens to that data.

Sometimes, you might even work with data processors who manage your candidates’ personal data on your behalf (for example, by hosting it on job boards, storing it in CRM tools, or backing up databases on cloud storage). They also need to respect the GDPR.

The GDPR says that you need to respect certain things to make sure that your dealings with candidate personal data is lawful.

For example, you need to make sure that all personal data is:

Recruitment Agency Obligations: Data Must Be… Practical Examples
Processed lawfully, fairly and transparently


Be open and honest with candidates and inform them about what you will do with their data. This also means you need to get their consent to process their data or evidence that you have legitimate reasons for doing so (i.e., business reasons or under a contract).
Only collected for a genuine reason that is relevant and proportionate For example, data is collected with a view to providing recruitment services and finding a job for your candidate. You should not collect masses of information about the candidate that has no relevance to the job hunt (for example, saving photos from their Facebook Page is probably not going to be relevant or proportionate).
Accurate and kept up to date


You should not record incorrect data, or data you are not sure about. Once a candidate has been placed, update their profile on your database. If a candidate tells you that their information has changed or wants you to correct or delete it, you should respect their wishes.
Kept for no longer than is necessary


For recruitment purposes, once a candidate has been placed or was unsuccessful at interview, you should consider deleting his/her personal data, unless you get their consent to keep their details in your system. As a general rule of thumb, you should regularly review your databases and consider deleting candidate details that you have held for over 2 years or check with them if they still want your services.
Stored in a secure and confidential way


You need to make sure that your IT systems contain appropriate technical or organisational measures to reduce risk of data leaks, cyber-attacks or misuse of personal data by employees.

Accountability & Sanctions

The GDPR says that if you process personal data, then you are accountable for the personal data you hold. This means that you are responsible for, and must be able to demonstrate compliance with the obligations set out in the table above.

Failure to do so means that you could be liable for fines of up to 4 % of your company’s global annual turnover or up to €20 million. A GDPR Working Group, known as the Article 29 Data Protection Working Party, which provides additional guidance on the rules in the GDPR [download the PDF here], has said that these amounts are not a fixed price-tag, but may depend on the severity of the any breach, the circumstances of the case, and whether your business had appropriate measures in place to respect the GDPR.

Ready to do candidate consent well? See how Obsequio can help your recruitment business manage consent.Obsequio for Recruiters

Part 2: What can Recruiters do in Practical Terms to Respect the GDPR?

There are a few practical steps that you can start to implement today to make sure that you are compliant with the GDPR before May 2018. Compliance is not just a tick box exercise which applies only on the day when a new law comes into force.

It is important to monitor your practices on a regular basis and evidence this (by keeping records). This applies not only to the GDPR but to all areas of corporate compliance. The ICO has published helpful guidance, but here is a quick overview of the necessities.

Internal Organisation

  • Set aside budget, time and a responsible person for dealing with the GDPR.
  • Designate a Data Protection Officer (or “DPO”) if you are dealing with large volumes of personal data or if you process sensitive personal data.
  • A DPO can either be an employee or a freelancer (such as an external consultant or independent lawyer).


  • Carry out an audit of how personal data is used within your company to find out what needs addressing to ensure GDPR compliance.
  • Sit down with each department to understand what personal data they collect, from whom, for what purposes, and how they deal with that data (i.e., any computer programs in place, whether they get candidate consent and where this is saved).
  • Be aware of any profiling practices (automated decision making about a candidate or individual) as this is not permitted under the GRPR unless you have certain safeguards in place.

The GDPR says that decisions are “automated” when they are made without human intervention. The GDPR states that decisions which are likely to have a significant impact on an individual or an impact on their legal position should not be carried out by automated profiling if the reason for this is to analyse or predict an individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Sensitive Data

  • Focus on whether you collect any sensitive / special data. This includes information about a candidate’s racial/ethnic origin, political or religious beliefs, trade union membership, health, sexual orientation, or data relating to criminal convictions.
  • Sensitive data can be unwittingly collected if your recruitment consultants research candidates on social media (e.g., photographs of candidates might reveal their religion or health status).
  • If you do collect sensitive data, extra care has to be taken (e.g., anonymising the data or seeking a candidate’s express consent).

Contracts & Insurance Policies

Your Contracts

  • Make sure that you have adequate GDPR data protection clauses in your client and candidate contracts
  • Include a well-drafted liability clause in your contracts to protect your company in the event of GDPR breaches or sanctions.

Third Party Supplier Contracts (Data Storage, Cloud-based Servers…)

  • Review and re-negotiate contracts with suppliers which involve personal data being transferred outside of the EU (e.g., Include standard contractual clauses for international data transfers).
  • Review and re-negotiate contracts with your supplier or third party data processers (e.g., draft obligations about deleting or returning data, defining what your supplier can actually do with the personal data you send them, and agree rules about how they should help you in the event of an audit, data breach, or the creation of a privacy impact assessment).


  • Check your insurance policies to see what cover you have for GDPR liability.
  • Ask for a copy of your suppliers’ insurance policies to check they also have GDPR cover.

As with all contracts, it might be wise to obtain legal advice on your agreements / GDPR clauses to make sure that you do not sign up to anything which might put your company at risk.

Documentation and Privacy Impact Assessments

Document your activities involving personal data to evidence compliance.

The GDPR actually sets out requirements in this respect – it is important to remember that if you can show compliance, sanctions for a breach might be less onerous.

The GDPR says that internal records should include: The name and details of your company, other data controllers or processors and your DPO (if applicable), an explanation of the purposes of the processing, a description of the categories of individuals and personal data that is processed, a summary of the categories of anyone likely to receive the personal data, details of transfers to countries outside of the EU (accompanied by evidence that the transfer compliant), how long you will retain the personal data plus details of data retention schedules, a description of any technical and organisational security measures that you have put in place.

Consider completing Privacy Impact Assessments (or “PIAs”).

A PIA is a document where you consider different categories of data, how they are processed and why, and whether the processing has any adverse impact on an individual’s privacy rights. A PIA allows you to evidence steps that you have taken to safeguard candidates’ privacy rights.

The GDPR says that it is compulsory to carry out a PIA when you are using new technologies, or if the processing might be considered as “high risk” (such as systematic and extensive processing activities, including profiling or large scale processing of sensitive personal data).

A PIA should contain specific information, and so it is often useful to seek advice from a GDPR expert to make sure your templates are fit for purpose.

For example, the GDPR says that a PIA should include: A description of the processing operations; the purpose of your processing activities; the ground for processing (e.g., consent or legitimate interests); an assessment as to why the processing is required and whether this need is balances the aim you wish to achieve, on one hand, and privacy rights on the other; an assessment of the risks to individual, such as staff or candidates; and a summary of the measures that you have put in place to reduce or eliminate risks of non-compliance.

Grounds for Processing

Ensure you have lawful grounds to process candidate personal data, such as consent, legitimate business interests or a contract. #RecruitmentGDPR Click To Tweet

Fellow GDPR expert, Kristy Gouldsmith, has already published a strong piece with detailed information about consent and grounds for processing on the Obsequio blog.

Ensuring that you have a legitimate ground to process personal data is a key in ensuring GDPR. This is where consent-as-a-service tools offered by companies such as Obsequio can be a lifesaver, meaning that this issue is taken care of, and you have more time to focus on what you do best – recruitment.

Responding to Data Protection Incidents

  • Implement robust procedures to deal with requests or incidents relating to personal data.
  • Respond to candidate requests about their data within a month
  • Ensure candidate data can be provided to them electronically – consider setting up a secure portal allowing candidate’s access and modification rights to their profile.
  • Implement IT systems allowing you to track data breaches (e.g. cyberattacks, hacking).

The GDPR obliges you to report a data breach to your supervisory authority (the ICO in the UK) within 72 hours, if the breach is likely to result in a risk to the rights and freedoms of your candidates. In some cases, you also need to tell your candidates about the breach.

A hacker you managed to stop is probably not going to need to be reported, but if the attempt was successful and resulted in your candidate database being available on public websites, this would most likely need to be reported.

  • Carry out proper database management.
  • Preventing unauthorised access or copying.
  • Implement regular data base cleaning to remove old data, seek fresh consent for expiring data and for correcting data that is out of date.

This is helpful not only from a GDPR perspective but also protects your business, confidentiality of your information and also increases the value of your database.

IT security & Privacy by Design

  • Guarantee the “ongoing confidentiality, integrity, availability and resilience” of your IT systems.
  • Audit your cloud service partners to make sure they are GDPR compliant.
  • Audit your connected objects and other IT devices, from servers, infrastructure to laptops, desktops and smartphones.
  • Ensure you can restore availability and access to personal data in a timely manner in the event of an incident.
  • Carry out and document regular testing to assess the effectiveness of your IT systems.
  • Ensure candidate data is stored in a way which enables them to exercise their right to portability (i.e., being able to have a copy of their data file that they can transfer to someone else).

You should make sure that personal data concerns are dealt with at the outset if you are planning any new IT or general projects which will involve:

  • Storing or accessing personal data;
  • Implementing any policies or strategies that have privacy implications:
  • Carrying out personal data sharing activities; or
  • Deciding to use personal data for new purposes:

The GDPR calls this “Privacy by Design”. To comply with the GDPR:

  • Involve Legal / your DPO at the start of your project and keep them informed.
  • Make sure that privacy is a key concern at the outset of any new system of policy involving personal data.
  • Design your systems around data protection compliance.

Privacy by Design means that any potential problems are addressed early on, which will avoid in delay to your project, keep costs down and maintain excellent customer service.

Training & Policies

  • Policies, procedures, and documentary evidence are key aspects of the GDPR
  • Maintain adequate and up-to-date policies on GDPR issues (such as IT security, data breach notifications, how you can mailshot candidates, social media use).
  • Ensure data protection policies are accessible to your management and employees.
  • Make your staff aware of your GDPR obligations as a company and their obligations as recruiters (e.g., via regular training, linking data protection knowledge to promotions…).

As we have seen, the supervisory authorities are likely to go easier on penalties if you can show that you have done your best to respect the GDPR by having all the tools in place.

A way to evidence your best efforts can be to outsource the drafting of your policies and procedures and your internal training to GDPR experts or qualified lawyers.

GDPR Compliance is Positive for your Business!

GDPR Compliance might seem difficult, but once you have built these practices into your day-to-day activities, they will become second nature. Plus it will be a real selling point for clients and candidates! Compliance shows your stakeholders that you:

  • Take the law and the GDPR seriously.
  • Evidences your respect for candidate privacy.
  • Guarantees high-quality candidate information which is a reflection on your recruitment services.
  • Are tech-savvy: in a growing digital world, GDPR compliance (especially in areas such as IT security) is helpful for your business generally in the fight against data leaks, cyber-attacks and hacking.

There are many free tools available on the Internet to help you comply with your GDPR obligations, and there are even possibilities to obtain official GDPR Certification. However, it is nonetheless helpful to be accompanied by a qualified GDPR expert (either in whole or in part) to make sure you are doing things right.

This article is for guidance only and does not constitute definitive legal advice.

Charlotte Gerrish

About Charlotte Gerrish

Charlotte Gerrish is the founding lawyer of Gerrish Legal and has over 10 years of legal experience working in international law firms. Most recently, Charlotte held the position of Senior Legal Counsel at one of the world’s leading staffing, recruitment and consultancy companies. Gerrish Legal, an independent law firm, provides flexible, practical and cost-effective advice on all aspects of European, French and English commercial law and has particular expertise on Brexit issues, Contract Law, Data Protection & Privacy (GDPR), Digital, IT and Social Media Law, Intellectual Property Law, Brand Protection and Trade Secrets, Business and Gig-Economy Compliance and Dispute Resolution. You can find Charlotte on LinkedIn or at the Gerrish Legal website.

Leave a Reply

%d bloggers like this: