• Date posted: 29 Sep 2017
  • Tags:

I’m a Recruiter and I love what GDPR will do for recruitment….


Now before you start throwing stones hear me out. I know it is a pain to implement anything compliance related – both in terms of cost, time and pure mind-numbingly painful research. BUT… I think overall it will be a great thing for recruiters. For good, ethical and quality-focused recruiters it will be great – for sharky types that don’t respect their clients and candidates it will be quite the shock.

One thing is for sure - It’s not quite as complicated as perhaps some people would like you to believe.

I want to help you to understand the key elements of GDPR as relevant to the recruitment industry and the key steps you can take now to implement some key changes.

The General Data Protection Regulation (GDPR) is basically an update to the Data Protect Act of 1997 and will come into effect in May 2018. So you have time to prepare and as the Information Commissioner has confirmed there will be no overnight witch hunt.

So let’s put GDPR into context. As a recruitment agencies we source, process and use data every day whether it is client, candidate, supplier or 3rd parties like RPO’s or payroll providers.

The key change within GDPR is simply we must have explicit permission or legal / contractual rights to process data belonging to someone and we have to protect that data also. That’s it.

I think this is great. Think about the scenarios created by unethical Recruiters….


You know the ones who scrape candidate names and CV’s and share it without the candidate permission (how many times have you lost fees, candidates or jobs due to the unscrupulous actions of others??)


The same Recruiters often create fake adverts, tell candidates they represent clients when they don’t and lie to candidates about the success of an application that was never actually made.

While I agree GDPR will create a headache it doesn’t have to be as painful as perhaps you think. If we take action now it will hurt far less come May.

So let’s take  snapshot of what it means and what steps we can take now to prepare.

What is GDPR?


General Data Protection Regulation affects all people in the EU and is designed to protect the rights of everyone’s personal data and is simply bringing the UK up to the same standards of personal data regulations already in place in many other countries around the world.

In simple terms, as of 23rd May 2018, candidates and clients must now give explicit consent for their personal data to be processed and used. This means they are entitles to know exactly how their information will be used.

Candidates or clients have the right to stop you processing their data for profiling purposes and they can also request that their personal data is deleted when it is no longer required. Even more interesting is that they can also withdraw their consent at any time. What recruitment agencies must be aware of is that there will be very real financial penalties if permission is not gained and they can be considerable 20 Million Euro or 4% of global turnover – whichever is higher. Although I must add here that the Information Commissioner has released a statement assuring people the point of the exercise and to affect a change not release a full scale inquisition come 23rd May. No doubt the companies with the most to lose will be very careful to comply but as this is new and there is not industry best practice set or standardised and no case law to refer to much is still open to interpretation.

The best action to take is to stay logical and focused on the rights of the individual you are holding or processing data for.


Whether it’s you or someone else someone needs to become the champion for all things data internally. If you are a larger company no doubt you have a Compliance Manager or Director already – for smaller independent firms this may need to be the Director or MD themselves until a full plan is in place. It won’t hurt to start talking to your teams now to let me know GDPR is coming and that planning is taking place which will result in some changes to process.

This will help your agency centralise all the areas you’re exposed in, and create a consolidated plan of action to become compliant with the new regulations. By appointing one person, you begin the process of determining



Take a look at how information currently is generated. Here are some obvious sources:


  • CV databases
  • Job Boards
  • Linkedin
  • Facebook
  • Google search
  • Incoming applications
  • Candidate referrals
  • Website forms / queries

Now think about all the places this data is stored:


  • Individual inboxes
  • Group inboxes
  • Job board accounts
  • Job posting software accounts (Broadbean, Idibu, Logic Melon)
  • CRM
  • Spreadsheets
  • Linkedin accounts
  • Payroll systems
  • Website portals
  • Website candidate areas
  • Job alert storage
  • Email marketing lists (mailchimp, infusionsoft etc)

Now you know where you collect data from and where you store it you need to think about how that data is used or shared. Things like:


  • Candidate contact data stored for further contact about alternative roles
  • Client data stored to candidate introductions or sales calls
  • Candidate CV’s stored for future vacancy submission
  • Speculative candidate introductions to clients
  • Candidates referral information for future contact
  • Mailing lists for blogs, marketing materials, events, jobs, candidates, news
  • Passing of candidate data to clients
  • Passing of client data to candidates
  • Passing of candidate data to third parties for payroll
  • Passing of client data to third parties for billing
  • Now go back and review at what point your currently obtain permission to store and use that data.
    This will identify the gaps between current process and future requirements as of May. The onus will be on you to prove that you have upheld GDPR requirements.


This has to start with streamlining the way in which data comes into your agency. You effectively need to create one central bottle neck as far as possible and you cannot afford to leave this in the hands of individual Consultants- it won’t be them after all that pay the fine if you are found in breach.

If all incoming new candidate data, whether via application or data generation from your teams, is held with a temporary status until there is a visible form of permission to hold and use data then you have a way to ensure you are compliant.

You may wish to appoint a Data & Compliance Office to manage this for you once you understand what you need to do.

To get ready you might want to consider:

  • Changing how your job boards and aggregators are set up – perhaps they should all come into one central inbox, or be parsed with a new initial status until your Data & Compliance Officer can see proof of permission or gain it themselves
  • Having an appointed person to daily review all incoming new data
  • Amending your CRM to timestamp new data with a countdown – effectively quarantine data until permissions are gained and saved against that record



Once you have streamlined or funnelled the way in which new data comes into your business and you have someone appointed to oversee your compliance for GDPR you will need to think about what permission you seek and at what points in the process you both issue the permission request and then obtain and store proof of that permission.

Your permission statement / requests should include:

  • The reasons why you are storing their data
  • Exactly how you will store the data you have gathered
  • How long you will store that data for
  • How candidates can access the data stored
  • How to request for data to be deleted and any lawful exceptions i.e. payroll records


The IC want to see that you are being honest and transparent with the person who’s data you are storing. So go for complete clarity and be as specific as possible.


If you want to contact them with jobs then say that. If you want to use their CV for the purposes of securing interviews then say so.


Hopefully you already comply with the Data Protection Act so this should be a fairly simple exercise to update with the GDPR updates.

Your privacy policy will no doubt also need updating and you should make sure you lay out your legal right process information, how long you will hold data for, and how candidates can raise a complaint to the Information Commissioner’s Office (ICO) if they’re unhappy with how you have stored or processed their data.

GDPR requires you to write this updated privacy document and to make it easily available too. Don’t forget that under law, privacy policies will have to be written simply using easy to understand terms, and candidates need to provide explicit consent for you to use their data. You absolutely cannot use pre-ticked boxes!



If an individual or group is likely to suffer damage in the form of identity theft or a confidentiality breach you will have to notify ICO. Today some businesses aren’t required to do this but GDPR means everyone must now do this. Therefore, you will probably need to update your internal procedures, IT security and employment contracts to safeguard against a data breach. If a data breach does occur you will need to prove that you had the right processes in place to detect, report and investigate it.


So key facts in a nutshell:

  • Every new candidate or client must expressly give consent to your agency's terms of use with explicit details around how their data will be stored and processed. You must capture this at the very start of any relationship or record being created on your CRM or any other system you use.
  • Auto-optin of any type do not count
  • You need need explicit consent before you can use candidate data for anything such as sharing their details, name or CV with a 3rd party such as a client or payroll company
  • You must keep a record of this explicit consent and any subsequent requests
  • If you can find a way to automate this – do it! The less human error the better
  • Any candidate can request for their data to be forgotten, removed, or deleted – you must have a workflow for how a candidate or client can request this and who will manage it. If there is a legal exception for not deleting their records then you must share that.
  • Email and SMS marketing must be opted in to by the candidate and you must be transparent about how and when they did this. It cannot be assumed. Just because a candidate sends you a CV does not mean they consent to being send more job details or for their CV to be sent to the client or any other.

So hopefully you are starting to see how you can cope with GDPR and if you’re smart you will start work now.


If you want more information you can use this link to stay updated with all changes and news regarding GDPR updates page. There is a website and email list you can also opt in to.

Please rest assured. This will help us lose old dead data and focus us all on the good stuff. It will really clamp down on “dodgy” recruitment tactics that commonly tar us all with the same brush and can only raise our value in the eyes of candidates and clients.

We’ve been here before. We’ve weather legal changes, IR35 and a whole hosts of “threats” to the recruitment industry. This one, I believe, actually has the opportunity to improve the industry and widen the gap between great and bad in the eyes of outsiders.

Good Luck!


Sign up for job alerts

About Recruiter Republic

Find out who we are and what makes us the UKs only award winning Rec2Rec 

Read More