GDPRRecruiting in big DataRecruitment

GDPR – Implications for employers and recruiters

GDPR, recruitment data
The new GDPR guidelines which come into effect on 25th May 2018 will impact everybody working in recruitment.
What is the GDPR?

GDPR, or General Data Protection Regulation will replace the current Data Protection Act and is a new piece of EU legislation which seeks to strengthen and unify data protection for individuals in the EU, giving them greater control over personal information.

The changes to the current guidelines will have an impact on how recruiters, recruitment business, HR departments, and Hiring Managers process candidate and client data. Any breaches of the new regulations could result in fines of up to 4% of global annual turnover – ouch!


It’s not just about compliance

Despite the threat of fines, and that unpleasant word ‘compliance’ – these new guidelines are really about protecting us all –  putting the consumer first.

Primarily, it’s about being transparent and accountable as an organisation – ensuring that candidates have true ownership of their data and it’s use. It involves the kind of ethical practices that forward-thinking recruiters and HR teams are either already using or working towards. We all need to consider how clear and transparent our recruitment and data management practices are?

We’ve outlined below some of the key considerations for any organisation involved in recruitment and processing candidate data. This is by no means exhaustive and for the full list of regulations visit GDPR website.


Key Considerations
  • Greater clarity on job adverts – they must state how personal data will be processed. It must be clear what will happen to the CVs of unsuccessful applicants (retained for future recruitment) – all applicants must be given the opportunity to request they are removed.
  • Only those involved in recruitment can access CVs.
  • Questions on application forms must be relevant and specific to individual jobs. I.E. Only request info on criminal convictions if it is relevant (I.E. In council jobs).
  • Adopt a clear policy for retaining and disposing of all unsuccessful/unsolicited applicant CVs. Ideally, all candidates must receive a letter of acknowledgement, detailing how long their application will be kept on file and what will happen to them. Give them a clear opportunity to opt out.
  • Do not keep any information about successful applicant’s criminal convictions. You may only keep a record of whether or not the CRB check was satisfactory or unsatisfactory.
  • You may still keep notes during the recruitment process (ie. interview notes), but these can constitute personal data and candidates can request access to these.
  • If a candidate requests that their information should be deleted, this must be done immediately.
  • Candidate data cannot be stored for “longer than reasonable”.
  • The guidelines require backward compliance. This means that all candidate data currently held needs to be compliant. Therefore, every candidate must be provided with a way to opt out.


Clearly, these guidelines have enormous implications for recruitment companies, HR departments and Hiring Managers. Organisations actively involved in building talent pools and pro-actively seeking candidate data need to think very carefully about current practices, and how to comply to these new guidelines.

Here at Douglas Stuart, we are working hard to ensure that all our recruitment processes are clear and transparent – to everyone. That means reviewing all of our internal policies, contracts and working practices, including the way that data is shared with our clients.

We’re confident the new GDPR guidelines, will increase candidate trust and engagement at all stages of the recruitment process.