Recruitment and GDPR: 11 questions you need to answer now

Recruitment and GDPR aren’t exactly best friends…yet!

Recruitment businesses have built up huge databases over the years. They’ve captured all kinds of information from both candidates and clients. Some of it will have been very useful, some of it less so.

And they will have stored it in a variety of ways too, both physical and online.

What was the harm, it was better to have too much data than too little right!? It’s what made search and match useful. You never know when someones love of manga comics or the fact they have a pet lizard named Sammy might come in handy.

However, GDPR comes into effect on the 25th May 2018 and is the biggest change in data legislation for 25 years.

The fact you are here, however, means you want to see recruitment and GDPR become better friends. It’s certainly true we need to change some of our attitudes and practices. But it might not be as all-encompassing as you think. And by the end of this post, you may even see it as an opportunity.

But before we start, let’s get a few caveats out the way. I’m not a legal professional. I’m a recruitment marketer.

In the last 18 months, I’ve read up extensively on the subject and spoken to fellow marketers, lawyers, job boards, recruiters and associations. I’ve also attended conferences and seminars. My interpretation could very well be wrong.

But in reality though, until it comes into effect no one knows for sure what the effect will be. However, based on my research, these are the questions I believe recruitment businesses should be asking right now.

What is the real risk of GDPR?

You’ve probably read the headlines. Huge fines of up to 4% of total global turnover. That could certainly put a lot of recruitment companies out of business.

But let’s give this some context. The £500,000 fine issued to Talk Talk in 2016 would have been closer to £59 million. The one issued to Pharmacy2U would go from £130,000 to £4.4 million. Given that they are a smaller company, this could easily have put them out of business.

But the number of fines issued is just not that many. Also, interestingly, there’s never been a successful B2B prosecution. And if you look at these specific cases they are for pretty serious breaches.

So what is the real risk of GDPR to recruitment then? Well, it’s likely to come from disgruntled candidates and clients. We’re all used to a certain amount of recruitment bashing. It goes with the territory. And GDPR will likely be another avenue for it.

But don’t, therefore think, I’m suggesting ignoring it. Quite the contrary. If your name is mentioned repeatedly to the ICO you could very well find yourself under investigation. A little preparedness now could go a long way to reducing any future headaches or more likely damage to your brand.

Whats the difference between GDPR and the DPA?

Ok, so we’ve covered the first major one, larger fines! It also brings the UK in line with the rest of Europe. And no Brexit won’t affect anything.

The biggest single difference is the focus on accountability. Unlike the DPA, it will be your responsibility to prove that you are compliant.

So as a very specific example, you’ll need to appoint a data protection officer. They’ll be responsible for informing employees of their responsibilities, monitoring compliance and will be the first point of contact for any issues.

We’ll go into more detail on the main differences later in this post. But for now, think about how you’d respond to an investigation by the ICO.

What discussion documents have you produced internally? What audits have you carried showing where and how you’ll collect candidate and client data? How have you changed your processes? Have you updated any terms and conditions or privacy notices? What training have you provided internally?

As mentioned, no one knows for sure how GDPR will be interpreted. But one thing is for sure, if you’ve made no attempt to think about it at all, you could find yourself in very hot water.

Should we treat candidates and clients differently?

 The short answer is yes if you’re sending electronic communications, but no if you’re collecting, storing and processing candidate and client data. Why? Because they’re actually covered by two different pieces of legislation.

The Privacy and Electronic Communications Regulations (PECR) relates to how people send electronic communications to their customers. And there are some very key points in here for recruiters. But GDPR focuses more on how the data is collected, stored and used on an ongoing basis.

One thing you’ll be very pleased to know is cold calling is not affected under PECR. But how you’ve collected, stored and used the data you might be calling does fall under the definitions of GDPR.

Another important point is PECR distinguishes between individuals and those belonging to ‘corporate bodies’, which includes employees. But GDPR makes no such distinction.

You should also be aware of ‘soft opt-in’. This essentially means that as long as there is a prior relationship, and you give them the option to opt out, you can communicate with them electronically.

You’ll want to keep in mind email marketing best practice. If your emails aren’t timely or relevant, even though you may be compliant, quoting the complexities of PECR, DPA and GDPR to a client or candidate are unlikely to help you build strong relationships.

It will all come down to how you define the ‘prior’ relationship. And this will depend on how and when you collected their data, for what purpose and how you’ve used it.

Do we need consent?

Well, yeah obviously. But you are already doing it to some extent so I don’t see this changing massively (assuming you’re following current laws).

It’s already a legal requirement to keep basic personal data on candidates. Changes to the immigration legislation in 2008, mean employees have to prove their eligibility to work in the UK. And under the Data Protection Act and The Conduct of Employment Agencies and Employment Businesses Regulations you need to seek permission before sending out a CV.

GDPR states that ‘you must determine your lawful basis before you begin processing data, and you should document it‘ (again, you can see the importance of accountability).

For businesses, there is two main legal basis for processing data. By gaining ‘clear consent’ or because you have a legitimate reason for doing so.

To use legitimate interest as your basis ‘You must balance your interests against the individuals. If they would not reasonably expect the processing of their data, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.’

So receiving an application or terms and conditions from a client is more than a legitimate reason for processing their data. It’s expected! And as I said, you’ve already gained consent to some extent.

But the issue arises on what happens next. Because under GDPR, you can’t use someone’s data for a different reason as to what they originally gave it.

So if a candidate gives you their CV to find them a job, but they go off the market, what happens in 18 months time when they show up in a search and match? Or a client fills the role, how do you stay in touch whilst still remaining compliant?

This is where you need to decide, will you try and gain consent or do you have a legitimate reason for keeping touch?

How do we stay in touch?

Ok so if you’re going to try and achieve consent, how would you do it?

Well, you could include a tick box as part of your application or registration process. ‘Please tick to receive information related to your job search, ongoing career development and future opportunities’. Or you could wait until they’ve gone off the market and ask for their consent then.

But to give context, blog newsletter sign up rates are between 2% and 5%. This is different so you could even get as high as 20% or 30%, but it’s a much smaller group of candidates and clients to call or email then you might be used to.

The advantage of consent, however, is they will be far more receptive. But be careful because it sets the bar very high.

As an example, if you get a candidate to set up an email alert and you neglect to mention that you will also email them a CV template, you could be accused of not offering ‘clear consent’.

Ok so is there a legitimate reason for keeping in touch with your candidates or clients? Well, based on the movement in the labour market, absolutely there is.

According to Indeed, 2% of people stay in their job for less than 2 years. This rises to 46% for less than 4 years. The CIPD’s latest employee outlook survey suggested a quarter of people are looking for a new job.

The ICO website points out ‘commercial interest’ as being a legitimate reason. But be careful, how legitimate it is will come down to what the PECR describes as having a ‘prior relationship’.

For this, you should focus on the strength of the initial contact, how you’ve kept in touch since and the level of engagement in that period.

As an example, it will be very hard to justify emailing a candidate you spoke to for 5 minutes about a role 3 years ago. But you are on much firmer ground if you’d interviewed them face to face 12 months ago, had been emailing them every month since, and they’d replied 3 times.

So definitely, no more bulk sending to lists of 10,000! The key here is discussing internally what you think is acceptable, define your rules, document it and train people.

Will we have to delete any data?

It depends how long you’ve had it, but probably yes!

This is a fundamental decision recruitment companies need to make (and if you hadn’t got the point yet, and document it!).

No one likes deleting data. It doesn’t feel right. There’s always the ‘what if’ thought.

You need to discuss internally what you think is reasonable.

Financial records as an example need to be kept legally for 6 years. But this does not mean keeping individuals data (and this isn’t just personal data but anything that uniquely identifies an individual such as an ID).

So what is reasonable or likely to be considered legitimate? 6 months, a year, 2 years even 3 years? Again, you need to think about the movement in the market, the strength of the initial engagement and the ongoing relationship.

If a candidate or client hasn’t engaged with you in the last 3 years whats the point in keeping their data? And from a wider business perspective, you are better off focusing on lower hanging fruit.

How should we be storing data? 

Let’s get the obvious out the way first – for your candidate and client data you should store it in your CRM system or applicant tracking system (ATS)!

Technology providers are so hot on security now that this will go a long way to making you GDPR compliant, from a storage and security perspective. But the real risk will come from all the other places you store and collect data, and of course as is often the case, the people using it.

One of the first things you should do is review exactly where and in what systems you’re collecting data. And write it down! This could include software like Broadbean, your own website, job board databases, email communications, spreadsheets, internal reports, marketing tools and employee systems.

Whilst it will be your responsibility to work with GDPR compliant suppliers, to some extent there’s only so much control and influence you can have (more on this next).

But from an internal perspective, the two biggest risks are likely to be from individuals and teams keeping spreadsheets for internal reporting purposes and also the physical recording of data i.e. pen and paper.

The first major issue, and likely to be of greatest significance if you were investigated, is the lack of security.

If you have candidate details written down on paper sitting in draws or lying about the office, it would be very easy for someone entering your building to take it. You also need to think about the security issues associated with moving written down information between locations such as different offices or if you’re interviewing offsite.

Spreadsheets also offer a security risk as many are stored on desktops and different devices and often aren’t password protected.

The second important point is around the ‘right to be forgotten’. That’s not you forgetting you have a drawer full of cards with candidates details on or that you ‘have a spreadsheet somewhere’. It’s the right to have personal data erased after a given point. So the risk of spreadsheets and physical cards, is you have no systematic way of deleting it.

With advances in cloud computing, mobile technology and some great recruitment software out there, there’s no excuse for these outdated practices.

The main aim behind GDPR is about showing you have respect for peoples data. Understand your processes, update them if required, and most importantly train your team. Your biggest challenge is quite possibly cultural change and the drive required to train staff.

What about suppliers and job boards?

 As mentioned, it will be your responsibility to ensure you’re working with GDPR compliant suppliers. So, in the first instance, talk to them! Understand what they’ve discussed internally and what decisions they’ve made. Some are clearly more ahead of the game than others.

The job boards, for example, seem way behind the curve. Again, they are likely to be compliant from the point of view of applications, but with their candidate databases it couldn’t be more clear cut  – they are selling peoples data to third parties!

So firstly, how long are they going to keep peoples data for? The size of their candidate databases is often a big selling point for recruiters. So like you, they have to make a decision on how long they are going to keep their data for. But similarly, whats the point in having access to a database where 50% of candidates aren’t actively looking.

Much of their compliance will be based on how they are collecting candidate data and the level of consent they achieve. But currently, a quick search of the UK’s 5 largest job boards reveals some rather bad practices going on with their sign up forms. 4 of the 5 have pre-ticked boxes signing people up to receive emails. 1 had a pre-ticked box to allow their CV to be searched, the others did not mention it.

There may also be an issue under PECR. You’ve found a CV on a job board and email the candidate. Who gave you permission? Whats the ‘prior relationship’? Also what records have been kept?

On the basis that the risk is unlikely to come from the ICO itself but rather disgruntled candidates. It’s worth talking to the job boards and understanding what they’re doing. You don’t want to get tangled up in any bad practice. Whilst you are unlikely to be held accountable, a candidate isn’t really going to make that distinction.

What should we be doing now?


  1. If you haven’t already, assemble a team. Ensure you have at least one senior stakeholder. Also, appoint your data protection officer.
  2. Start by mapping out how people interact with you. What are you collecting, with what tech, when and what do you say?
  3. Next look at how you’re storing data. Everything from CRM and websites through to excel reports and physical cards.
  4. Write it all down, then have your internal discussions. You need to assess how compliant you are likely to be.
  5. Decide on your lawful basis for processing data. If it’s going to be ‘legitimate interest’, what are your legitimate reasons? And write it down!
  6. How long are you going to keep peoples data for? A tough decision and likely to cause much debate. But make a decision and do it. Any time frame is better than none!
  7. Update what you say to people. This should include privacy policies and terms but also at the point of the applications, sign up forms and emails. Make it clear!
  8. Think about ongoing marketing campaigns and how they will be GDPR compliant.
  9. Train, train and train some more! The challenge for most will be achieving cultural change.

So whats the opportunity for recruitment?


It’s about respect. The main aim behind GDPR is encouraging people to respect peoples personal data. It’s only being lent to you. So you have a responsibility to look after it properly. If you show signs you’re doing this you’ll be fine.

But GDPR also offers opportunities. Greater CRM / ATS buy-in will make teams more productive. Better data quality will enhance search and match. Improved accuracy will create stronger reporting. Time limitations will encourage more sophisticated marketing.

All these things will help teams make more placements. GDPR has the power to not only weed out bad practices but encourage owners to build more streamlined businesses with better growth opportunities.

Time will tell how this is interpreted and enforced. But it’s coming so get ready!

Views: 824


You need to be a member of RecruitingBlogs to add comments!

Join RecruitingBlogs


All the recruiting news you see here, delivered straight to your inbox.

Just enter your e-mail address below


RecruitingBlogs on Twitter

© 2023   All Rights Reserved   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service