The recruitment industry divides opinion

The UK recruitment industry pumps £35bn into the economy every year. That is no small number. There are millions of people who found their current job through recruiters too. So why the melancholy, frustration or anger with such an economically valuable service?

Because of the other side of the industry; the recruiters who post fake jobs, use candidates to generate leads by finding out where else they’re interviewing, sending candidate CVs without permission or knowledge. Unfortunately, the list goes on, and as with all industries, the bad carries more weight than the good.

In a previous life I was a recruiter. I think I was a good one. I didn’t send more than than a couple of CVs to fill each job, never invented a role or placed a fake ad, always disclosed the name of the client in advance etc.

Doing recruitment well is complex, not complicated. Be honest, be transparent, do well for your clients and candidates; that’ll do it.

Recruitment is a challenging job to get right. Selling a car, or a house could be argued is simpler. One is a fixed thing, the other is the buyer. Recruitment has two buyers, two sellers and an intermediary trying to get the parts to fit.

With both parts being moving, the process inevitably involving some creativity and posturing (both sides), it’s a tough job sometimes. Compounded for the good recruiters, by the bad ones. Worth remembering that it’s not all malicious, for many it’s as simple as recruitment practices being outdated with the modern hiring experience.

The GDPR is offering the injection of quality that the recruitment industry needs. How much any recruitment firm benefits from the spirit of the regulation is how they answer one question:

Can I use legitimate interest as the legal basis for processing candidate data under GDPR?

Much discussion has been had over yes or no. If you do your research you will see that notable data privacy professionals (all active on LinkedIn), backed by sound interpretation of the GDPR, confirm that consent is the appropriate legal basis.

In recruitment consent is always an available option, for agencies and internal recruiters. And handily, it’s the most appropriate one too. You shouldn’t be thinking about legitimate interest. Consent puts the data subject (candidate) in charge of what happens to their data, and that starts unsurprisingly at the beginning of the relationship with a recruiter.

GDPR and candidate acquisition

Typically, when we talk about candidate acquisition, there’s two ways it can happen. First up, data is proactively provided by a candidate.

A job seeker sends you their info:

  • registers their CV on your website
  • applies for a role directly on your website
  • applies for a role on one of the many job boards
  • emails a consultant
  • visits a branch

Consider any of the above, and consent isn’t onerous or prohibitive. It’s worth checking in with your job boards and/or aggregators to confirm how much information will be provided to candidates at point of CV registering on their site (their fair processing notice), and what information they’ll give on recruiters accessing data.

(to any job boards reading, if you haven’t already, letting candidates select between making their CV visible to direct employers and/or recruiters would be a good thing and support reducing some of this friction).

One job board promotes the fact that 6000+ direct employers search their site each month. What if I’m interested in those, rather than the 20,000+ recruiters that could potentially access my data?

Candidate consent

It comes back to doing consent well

Best practice would be for the job board to list all the 3rd parties that COULD access my CV and details. Tough ask. A review of some current privacy policies shows they’re still in need of some work – one of the household names for example makes no mention of recruiters accessing then processing candidate data, or that the recruiter will be a Data Controller. Fair Processing Notices may still be updated; however, it is your responsibility to own your candidate relationships.

Good Fair Processing Notices, appropriate internal policies and do consent well!

The responsibility and control is therefore yours. That’s a good thing. That allows your business to prepare, standardise, define & execute best practice.

Operationally, you can create the processes, the policies and the operational oversight to ensure all candidates are treated the same, irrespective of point of entry, and deliver a great candidate experience.

Hello, I’m interested

By providing you with data directly a candidate is expressing an interest in your services today, either generally or for a specific role. Today isn’t forever, and the data isn’t yours. Engage with your candidates, and if they’re not engaged, what value do they bring your business?

When I meet recruitment directors they often comment that consultants rarely go to the CRM database as first port of call to fill a new role. I did the same. Not because the candidates aren’t on the CRM, rather there were so many irrelevant profiles – CVs years old, dead contact details – it was easier to find fresh and active candidates online. Begs the question, why bother having a database full of personal data you’re responsible for?

You look good, I think I’ve got a job for you

Which brings us to the second mechanism; going out and getting candidates:

  • proactive job board searching and downloading
  • one or more of the services that scrapes data from external sources and pushes it into the CRM
  • headhunting through sites like LinkedIn
  • referrals from other candidates

Tread carefully

This is the area of most frustration. Recently, we ran a candidate survey asking questions about consent management preferences, sharing data with prospective employers etc. We had to stop as the responses predominantly bashed recruiters, which meant we weren’t comfortable trusting the quantitative data we were looking to use.

Think about going out and finding candidates and ask yourself two questions:

  1. Is it prohibitively complicated to capture consent from candidates?
  2. Do your legitimate interests in wanting to place me and make a fee outweigh my right to decide where my data is shared?

If, when you find a candidate that looks good, you contact that candidate, talk about your services, a specific role if you’ve got one. Before adding the candidate to the CV landfill.

Do that, and when you kick off your consent process (whatever that might be) the candidate will expect it, dare I suggest welcome it, and you have started the relationship well.

If your CRM was full of candidates that are happy to work with you, surely that's a good thing? #GDPR #Recruitment Click To Tweet

If your CRM was full of candidates that are happy to work with you, that can only be a good thing. Additionally, for the recruiter on the ground, the database becomes the primary place to search for candidates – they are already there, with appropriate consents in place, ready to be contacted.

One consent doesn’t fit all

Consent isn’t a one-time thing. There are lots of types of consent. Broadly, for recruitment, I’d suggest:

  1. Baseline consent approving the recruiter to process the data
  2. Marketing preferences – can you contact me about job opportunities
  3. Role-specific consents – every role I’m put forward for, in advance, no exceptions.

When sending to a new client, it’s worth thinking about the information you’d like to provide the candidate – the company, the contact and role description, a link to that company’s Fair Processing Notice? More?

You’re responsible for your clients

It doesn’t take much searching on LinkedIn to see the complaints about recruiters using candidate data for their own purposes without consent. There’s also been a spike in end clients calling out recruiters for speculative CV sending (as a lead generation/business development tool). If you send a CV to a client, with personal data identifiable, the organisation you send that CV to is a Data Controller.

As a recruiter, there is an advantage that the client will be directly responsible for the data processing as a Data Controller. When the data is requested, all good. Where it’s speculative, is it reasonable to push responsibility where it may not be welcome?

Your clients are responsible too

The impact of the GDPR will result in more effort up front. I wouldn’t submit CVs to a client without agreed terms in place. You need to be clear on the type of relationship you have with your clients.

Equally, they need to be doing the same. If there’s no contract in place with you, and there’s no clear consent from the candidate – is the data transfer lawful? Answers on a postcard.

For any internal recruiters reading, this is an important consideration. You may be pitched by recruiters, as are direct hiring managers. How strong is the internal process to ensure it’s done right?

Collectively, responsibility to protect the rights of the individual, your candidates, is shared.

Ready to do candidate consent well? See how Obsequio can help your recruitment business manage consent.Obsequio for Recruiters

In summary

  • Consent is the appropriate legal basis for processing candidate data.
  • Consent must always be gained for sending CVs to clients
  • Recruiters and clients share responsibility for candidates and their personal data
  • The recruitment process should slow down, for good reason, when engaging a new candidate/client

We’ll be hosting webinars over the coming weeks, specifically looking at recruitment (both agency and internal) that will go into more detail about the legal and operational impacts of doing consent well, protecting your business, your clients, and most importantly, your candidates.

If you’d like to be invited, check out our Fair Processing Notice then drop me an email – and we’ll keep you updated.

Phil Schofield

About Phil Schofield

Phil is Managing Director of Obsequio Software. He spent ten years in sales moving from car sales, through insurance brokering then four years as a contract recruiter. Knowing how much difference transparency can make to the customer experience led him to start Obsequio. Phil tackles the GDPR discussion from the customer perspective. Start there and work backwards from the customer experience to define your compliance strategy.


  • Alex says:

    Hi Phil, thanks for this – it’s really well written and addresses some really key points about GDPR. I would interested to hear your take more on the CRM side. When you say your CRM often wasn’t your first point of call, do you mean to say that you’ve now changed your process? I would be interested to hear more.

    • Phil Schofield Phil Schofield says:

      When I was a recruiter, if I got a new job on, I’d head to the job boards first to find the newest candidates. They could’ve been and probably were already in the company CRM, however, so was an unmanageable number of other CVs, so it’s easier to look outside first.

      It’s the most often complaint from recruitment Ops Managers; spend all the money on CRM and 3rd party apps to bring the data to the recruiters, and they still look outside.

      GDPR, if done well, should significantly trim the size of the CRM database, improve its quality and help make it a more attractive first port of call. Additionally, if a recruitment company chooses to do consent well, candidates on the CRM will have consent in place to be contacted about roles and the submission of their CV to a client will be a shorter process.

      All in all, a clean database full of relevant candidates with consents in place makes for a great place to start.

  • Rachel Coates says:

    I would disagree that consent is the most appropriate legal basis overall, although having said that it depends on at what point you are collecting consent. As an example, a candidate on a job board is expressing an interest in job seeking – we have an interest in placing them in a job. If we provide job seeking services we have to retain their details for a year due to the conduct regs (legal obligation). If we place them in a contract role we have to retain their details for 3 years after the last payment is made and can rely on performance of contract for however long their placement is. Additionally there have been cases where HRMC have conducted an investigation into a candidate who used a dodgy umbrella company 6 years ago. All of those build a pretty strong risk profile with regards to retaining data for a significant period of time (although not in full). That’s contract, but I would say consent would probably be the most appropriate for permanent candidates as the only reason for keeping their data past 1 year is for our own auditing purposes or with the view to place them again in a few years. The latter of the two isn’t necessarily in the candidate’s interest, to the same extent it is in ours (because it’s revenue for us) so we wouldn’t rely on legitimate interest for that.

    • Chris Richardson Chris Richardson says:

      Hi Rachel. I agree with you completely. Each type of processing requires a different approach. In your example, consent is not the right basis for processing. However, where recruitment companies find a candidate’s CV on a job board (i.e. the candidate has not applied for a role) you would need consent to start sending the CV out to clients. This is why a business data map is so important.

  • Kevin McHugh says:

    Got to say sums up my views on the upside of GDPR. Improvement to industry standards all round.

  • it’s really well written and addresses some really key points about GDPR. I would interest to hear your take more on the CRM side.
    Thanks for share

Leave a Reply