Sign up to Orange Genie today!


How GDPR Affects Recruiters

Your recruitment business is responsible for collecting, storing and verifying a large amount of sensitive information about your candidates and your clients. This could add up to an acute risk unless correct procedures are followed, particularly with respect to GPDR compliance. In this article we’ll look at how GDPR affects recruitment agencies.

What does GDPR require recruiters to do?

GDPR has been in force since 2018 so it’s likely that most established recruiters have a good handle on it by now. However, just in case you need a refresher, here’s what your recruitment business needs to do under GDPR.

Candidate consent

Recruiters are required to seek candidates’ consent before processing and sharing their data. You should also not process sensitive information like disability info, religion and genetic/biometric info unless you can demonstrate that it’s necessary.

Legitimate interest

If, for example, you’re collecting information about potential candidates with the intention of contacting them, you can store this information without their consent, but this must be for “specified, explicit and legitimate purposes”. In this example you must contact the candidates within 30 days, and unless you receive explicit consent you must delete the data afterwards. 

Access to data

Candidates also have the right to access the data you hold about them. If a request is made, your agency must respond within a month and be able to provide a copy of the candidate’s data.

Your privacy policy

GDPR requires you to have a clear privacy policy and make this available for any clients or candidates who wish to read it. It needs to state where/how you store personal data and what it will be used for. Usually this would mean stating that data will only be used for recruitment purposes.

Proof of compliance

It’s up to your recruitment business to demonstrate compliance with GDPR, and you should be prepared to prove compliance where necessary. It isn’t enough to say that you’re compliant, or even to explain what you do – you must be able to demonstrate that your policy is being implemented.

What this means in practice

Your recruitment business will have been working within GDPR for some years, but are you following best practice? Use the tips below to improve your data handling and reduce the risks to your business.

You need a GDPR expert

GDPR can be complex and the detail is important, so it’s a good idea to volunteer someone on your team to become a GDPR expert. Appointing a data protection manager in your team is a good way to centralise your compliance strategy and provide a touch point for any data issues.

You need a clear data policy

Your website should have a clear set of terms and conditions outlining exactly how personal data is collected and shared. Your policy should cover:

  • How you store candidates’ data.

  • How long you will store data for.

  • The reasons why you store data and what it will be used for.

  • Your candidates’ right to remove data, and how they can access it.

This will meet the GDPR requirements for disclosing how you handle personal data.

Audit the data you store

In order to check your GDPR compliance, you need to map out all the different kinds of personal data you collect and where it’s stored. This will help you identify where you need to secure consent, and where you need to make your privacy policy available.

A data audit will also help you ensure that you’re collecting data you don’t need for your legitimate purposes.

Review your processes

Regularly review any process that involves collecting data from candidates or potential candidates to ensure that:

  • You’re only collecting data from individuals that you legitimately intend to contact

  • You’re only collecting data that is 100% essential

  • You obtain consent or delete data as soon as possible

Check any external software

It’s likely that your recruitment business is using an applicant tracking system (ATS) to store and share candidate data and it’s essential to ensure that this external software is compliant with GDPR. Ask your provider to detail their GDPR compliance activity and get your in-house expert to read their privacy policy.

Create a data breach procedure

By following GDPR guidelines you’ll reduce the risk of a data breach. In the unlikely event that a breach does happen, GDPR states that you must act as quickly as possible to minimise the potential damage that could be done.

Your recruitment business should have processes in place to detect, investigate and report and breaches, and it’s important to ensure your staff know what these are and what their responsibilities would be if you experienced a data breach.

If you have questions or if we can help in any way, please call our expert team on 01296 468483 or email

Articles Contact us today