Data Privacy in Recruitment: GDPR

On 25 May 2018, the General Data Protection Regulation (GDPR) came into force. GDPR has made massive changes to UK data protection laws. How will your recruitment business be affected?

There will be a number of new obligations. Fines go up to €20m or 4% of global turnover (whichever is greater) for organisations that do not comply.

The government has clearly stated that GDPR will apply, and will continue to apply, regardless of Brexit. Put shortly, GDPR is here to stay.

As recruitment businesses hold and use large amounts of personal data on their candidates, clients and staff, they will need to understand GDPR and ensure their business is GDPR compliant.


Recruitment businesses normally rely on the individual’s implied consent as the basis for processing their personal data.

For example, when a candidate submits their CV, this is generally treated as broad implied consent to use the candidate’s personal data to put them forward for the specific roles they want to apply for and to carry out any processing which is ancillary to the recruitment business’ services (for example adding them to the recruitment business’ candidate database (which may be hosted by a third party cloud provider) and contacting them about future vacancies which the recruitment business believes may be of interest to them (perhaps many years later)).

Under GDPR, consent must be freely given. It must also be specific, informed and unambiguous, and requires affirmative action from the individual. Therefore, it will be much more difficult for recruitment businesses to rely on consent. In particular, the fact that an individual has not objected to their personal data being used in a certain way or has posted their personal data on publicly accessible professional and social media sites such as LinkedIn will not be sufficient to amount to consent.

Transparency and Demonstrating Compliance

GDPR contains extensive requirements around record keeping and being able to show a paper trail of compliance.

You are also required to include additional information in your privacy notices. For example, the notice must set out the purposes for which the data is going to be processed, how long the data will be retained, and must state the right to have personal data deleted or rectified.

There is also a requirement to inform individuals about their right to complain to the Information Commissioner’s Office (ICO), the data protection regulator.

Information Security

GDPR expands on the obligation to take appropriate technical and organisational measures to keep personal data safe. It introduces mandatory breach reporting within 72 hours and in certain circumstances, the individual may also need to be notified of the breach.

You will need to check that your contracts with your data processors (ie any third party who handles personal data on your behalf such as certain IT suppliers) contain clauses that provide the protection required by the GDPR.

Data Subject Rights

GDPR makes significant changes to subject access requests, including shortening the time period to respond. It also clarifies existing rights such the ‘right to be forgotten’, which will require you to delete data in certain situations. It also introduces various new rights including the right to ‘data portability’, which allows individuals to obtain a copy of their personal data in a commonly used and machine-readable format, and the right to transmit their data to another data controller (eg a rival recruitment business).

If you have any questions about GDPR please contact us at

What to read next