From 25th May 2018, organisations that collect personal data on EU residents must become compliant with the General Data Protection Regulation (GDPR.) The GDPR is a new law that aims to strengthen people’s rights to privacy and protect their personal data.  This is the second of two posts - this one looking at the things you might do about making sure that you, as a recruiter, are compliant.   The previous post looked more generally at the key provisions and requirements.  Please note, for the avoidance of doubt, our disclaimer.  This post is not professional advice and is certainly not legal advice - you should take your own legal counsel on how this may affect your own postion.

As a recruiter what can you do about GDPR?

1. Find out where your data is

It's always best to start of with the basics first.  You won't get far with the GDPR unless you have a very good understanding and control over where all your candidate data is located and how it is used.  We suggest you look at what sorts of information you collect from candidates, why you collect it, and from where.  GDPR requires that you are clear about; where and how you find and store candidate names and contact details, as well as other identifying information.

Some questions you might like to ask yourself

  • Where do we source our candidate from and how do we collect this data? 
  • What sorts of data do we actually collect?
  • How much of this data do we actually usefully use and why?
  • How is this data used within our processes and procedures?
  • Where are ALL data items stored?
  • Who has access and why? 
  • How is this data; shared, transferred, modified and deleted?

2. You need a Recruitment Privacy Policy

If have already got one - review it just to be sure.  Otherwise, we believe you should get one just for GDPR purposes if nothing else. GDPR for the purposes of recruitment, requires you to have a transparent privacy policy in place explaining how you collect, processes and protect data and that also gives readily accessible instructions for candidates to ask your organisation to delete and/or rectify their data.  It is possible you may have a general privacy policy that will cover GDPR.  But if so, it should cover all the GDPR required items and it needs to be very accessible to candidates within a recruitment context.  

A checklist of items to include

  • Name and contact details of your organisation, including  your Data Protection Officer (DPO) if you have one. 
  • Statements to the effect that any data requested will be used for recruitment purposes only.
  • The types of information that you will hold about them in your files.  
  • Who their data will be shared with. 
  • Where this data will come from (make sure all sources are lawful and you include e.g. reference checking agencies and others who contribute to the process).
  • Where the processing is based and where you store data (e.g. if your recruitment backoffice is outside the EU you need to state and specify). 
  • How long you realistically expect to store a candidate’s data for (we understand you can specify criteria here e.g. you might hold data longer for candidates who are further forward in your selection process). 
  • How you will support a candidate's legal rights (under GDPR they have e.g. the right to be forgotten, to rectify or access their data, withdraw consent). 
  • How you will protect their data.
  • Lastly, the Instructions on how they can take action around your use of their personal data (e.g. how they can get a copy, recify or have it deleted).

3. Sourcing

How you find and store new candidate data.  The GDPR requires that you always have a legitimate interest when acquiring candidate data. 

This generally means:

  • Don't collect candidate data that you don't intend to use.  Under GDPR you can no longer simply build a talent database by adding candidate data in case you need it in the future.  That said, careful use of Talent pools/portals where candidates register to be kept informed of future job opportunities will likely be compliant where controls are in place and where candidates are clearly informed for how long and what use their data will be used for. Good recruitment software should provide this.
  • If are doing general sourcing e.g. headhunting, you should only keep candidate personal data for a limited time (30 days is the rule of thumb). Contact the candidate within this timeframe and if they request it you should delete their data.  If at the end of 30 days after sourcing candidate information you have not yet contacted them, according to the GDPR, you should delete their data.
  • You should be careful around the information that you collect.  You can process information if you can show it relates to your recruitment and selection process.  However don't collect anything else just because you can.
  • You must collect information only from sources that you can defend that are legal.  Basically, this means its publicly accessible and was put there for the purposes of a candidate's reasonable expectation to be contracted for the purpose of recruitment.   The good news is that this means that data from social network profiles or jobboards should be legal.  But it needs to be publically accessible to comply. 

4. Review your application process for GDPR compliance

In filling out online job applications, candidates are  providing their personal data.  Assuming your job applications correspond to actual job openings, you will have legitimate interest in processing this data and you do not need to ask for explicit consent. But, just to be sure:

  • Make sure you only ask only for the personal data you need. It should be necessary and relevant to the performance of the job which is being applied for to be compliant. 
  • Transparency.  Make sure candidates know that you intend to use their data for recruitment purposes only, as well as how long you may need to keep that data. It's likley that you will be looking to collect more data as a candidate progresses through your recruitment process.  You might be looking to check their social media profiles, do reference checks or undertake assessments.  If so, you need to say so explicitly and explain the how, by whom and why. 
  • Your privacy policies. Make sure they are compliant.  We suggest you get one specifically drawn up for recruitment (see above).  In any event it needs to be readily accessible. What this means in practice will likely be subject to future guidance.  At this time however, we understand just having a general website privacy statement in small print in your website footer will not 'cut it' under GDPR.  It needs to be reasonably prominent at the point candidates are looking to supply their personal details.  It should also include instructions to candidates on how they can ask you to; delete, rectify or stop sharing their data. This is where a well designed careers site/portal can help, allowing you to have place that keeps all your recruitment information together and accessible for candidates.

5. Candidate Communication

Candidate rejection is likely the biggest one. To be GDPR complaint you should be looking to delete the data for rejected candidates according to the timescales you have specified in your polices (you can't just keep it just in case). If however, you think you might like to keep their data for longer then you must separately contact them and seek their consent.

Another area that we we know that many employers will face, is where you get candidate data from sources other than online applications.  This includes referrals with e.g. CVs coming in by hand from staff members of people they think would work well in the business.  It could be, you have agencies simply emailing though CVs' to your managers, or you pick up CVs at careers fairs.  We suggest that in each of these cases that you have a standard email that you can send that outlines your polices and privacy details. We also suggest wherever possible you direct all inbound candidate data though your recruitment system (if you have one). It makes it much easier to manage, and most good recruitment software can also manage referrals and agency input.

If candidates contact you regarding their data, you must let them access an electronic copy of their data on request and have this process readily accessible (put it on your careers site/portal).  The format of this is generally up to you.  You will likely have some information in database form and others in the form of files.  Under GDPR you need to be able to supply it in electronic form to a candidate and in a manner they can reasonably use.   We do expect more guidance to be forthcoming on what this practically means. But, giving a candidate online access via a web-browser to their data and any associated files would we believe represent best practice.  However as we understand it, you will also be ok to send over an email containing attached files as long as they comprise a complete set of information.  Remember, candidates can now legally require you to delete their information and they can now withdraw their consent at any time (GDPR requires that the giving and withdrawing of consent should be equally easy and simple).

A key thing we are picking up with respect to GDPR is making sure that you keep within your own Privacy policy guidelines (which should be also GDPR compliant).   Having a link to your Recruitment Privacy Policy and to your career site/portal on all your recruitment related emails will certianly help demonstrate your intent to be compliant.


The GDPR is a major change to how data is used and processed for EU residents.  The informantion we have given has been taken from publically available sources.  But, in the months following May, we can likely expect more guidance on practical means to operate in compliance.  We know many in HR and recruitment are either, still grapping with the implications or have not yet even heard of the GDPR.  We hope our two posts have provided a useful primer and assistance.