GDPR in Recruitment: How to be Compliant

GDPR in Recruitment: How to be Compliant

GDPR EU logo

The General Data Protection Regulation (GDPR) is widely accepted as a natural evolution and progression in the protection of a very basic human right – privacy. However, the impact it’s going to have on business in general is still a massive grey area for most, especially in recruitment.

How will GDPR influence our ability to build talent pools?

What will we have to do with candidate data that we use for benchmarking that we collected years ago?

None of the recruitment-oriented questions have really been answered and, with May 25th creeping up on us, they need to be. I bet you’re thinking – why does it really matter? We’ve had the Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR) for years now? Aren’t they all the exact same?

In short – no.

Like with everything – if you want to comply with a new regulation or learn a new skill, you need to understand it first. Especially when, according to Forrester – 80% of companies will fail to comply with GDPR in 2018.

Firstly, what is GDPR?

Well – that’s the million dollar question at the moment. As defined by Investopedia:

“The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based.”

It was approved by the European Union parliament in April 2016, and will replace the Data Protection Directive which currently regulates and governs how ‘personal data’ can be used.

Today, there are completely new ways of exploiting personal data, given the rise of the Internet and cloud-based technology – the GDPR seeks to address these threats by imposing steeper and more severe penalties for non-compliance, and giving people greater control over what companies are doing with their data.

GDPR applies to all ‘personal’ data. It’s often misconstrued what ‘personal’ actually means, and the type of information or data it actually applies to. Contrary to popular belief – personal information is not only what you’d consider as extremely private, such as bank details or National Insurance numbers.


Are you interested in ensuring you’re GDPR compliant in your recruitment? Come along to our seminars in March to find out more.

What is ‘Personal Data’?

As dictated by the Information Commissioner’s Office (ICO)

“The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”

With that being said – it’s not just a case of protecting the data. To ensure full GDPR compliance, there are seven fundamental principles that are, ultimately, in place to drive full compliance.

But first – it’s probably best we cover off some of the key definitions of the GDPR, so you understand what we’re referring to as we go through…

Data Controller – The Data Controller is the individual who determines the purposes for and the manner in which any personal data is to be processed. 

Data Processor – Any individual who processes the data on behalf of the data controller.

Data Subject – An individual who is the subject of personal data storage (i.e. you or I, if our data is kept on any database).

Personal Data – Any data which relates to a living individual, who may be identified:

  • From that data, or;
  • From the data and other information which is in the possession of, or is likely to come into the possession of, the data controller.

Processing – In relation to information or data, processing means obtaining, recording or holding the data, or carrying our any operation(s) on the information or data.

Sensitive Personal Data – Sensitive personal data, whilst being separate to standard personal data, refers to the data consisting of the following information:

  • The racial or ethnic origin of the data subject;
  • His/her political opinions;
  • His/her religious beliefs or other beliefs of a similar nature;
  • Whether he/she is a member of a trade union;
  • His/her physical or mental health or condition;
  • His/her sexual life;
  • Any criminal information, and;
  • Any proceedings for criminal acts.

Third Party – A third party, when related to personal data, refers to any person other than: the data subject; the data controller, or; any data processor.

Now that’s covered – the 7 fundamental principles of full GDPR compliance:

The Fundamental Principles of GDPR


Accountability is what you would expect – the data controller(s) can demonstrate an organisation’s data processing remains compliant with GDPR at all times. In short – they can be held accountable for ensuring compliance.

This remains one of the most significant changes as we progress from the DPA to the GDPR – before it was acceptable to simply comply, whereas under GDPR this compliance must be demonstrable.


The accuracy principle is exactly what it says on the tin – it demands that all personal data that’s held on file is completely accurate and, where necessary, kept fully up-to-date.

GDPR dictates that any inaccurate or ‘old’ data should either be deleted or amended in a timely fashion.

Data Minimisation

Data minimisation, as a fundamental principle of GDPR compliance, asks that any information requested is adequate for the processing task at hand. In short, controllers must ensure that any additional or superfluous data should be destroyed in an appropriate manner.

For many – data minimisation will pose a considerable issues, especially for those with large archives of historical data.

Integrity & Confidentiality

Integrity and confidentiality asks that all personal data that is processed shall be done in a way that ensures the security of the data subject.

Lawfulness, Fairness & Transparency

Firstly – this principle ensures that all personal data is processed lawfully. Secondly – it ensures that all of  the data subject’s information is handled fairly and transparently.

To put this into perspective – 57% of individuals do not believe companies are transparent in their use of data. Think about the repercussions of this, in terms of your reputation as an employer and as an organisation.

Purpose Limitation

Purpose limitation dictates that all personal information accrued and stored by an organisation is used for ‘clear and legitimate purposes’. That same data shall not be processed for any additional purposes other than those explicitly outlined and understood by the data subjects when collecting the information in the first instance

In short – all of your data should have a purpose. And, it should never be used for anything other than that purpose.

Storage Limitation

Storage limitation is potentially the least defined and most ambiguous principle and concept. Essentially, storage limitation asks organisations to ‘not hold personal information for longer than is absolutely necessary and outside the purposes for which it was initially collected.’

Essentially – storage limitation refers to limiting how much data is stored. There is no time period that is specifically outlined as ‘longer than is absolutely necessary’, as it comes down to a legitimate business need. This is to be decided by your business, and expressed to any third-party that you subsequently engage.


Following each of these principles – there are a few elements of the GDPR that will affect your recruitment…

Key Elements that will affect Recruitment

First and foremost – the rights for individuals/data subjects under the GDPR. Individuals have every right to subject access (i.e. requesting to see all of the information you have on them as an identifiable individual); to have inaccuracies corrected, to comply with the accuracy principle, and; the right to erasure, whereby they must be deleted. Not archived or cached – they must be irretrievably removed from your database.

Secondly – your privacy policies will need to be updated, and kept up-to-date, to incorporate the new things you need to tell your candidates. These will include, but not be limited to, their right to erasure, and your legal basis for processing their data. It’s also not enough to just update your policy and leave it on your website – you need to evidence your candidates’ receipt of the privacy policy.


Given all of the above – our internal Data Protection Officers have pulled together a few top tips to help you understand what you need to do now:

So, what do I do now? Our Experts’ Top Tips

  • Be proactive – don’t wait, plan and act

The worst thing you could do is wait for GDPR to arrive before you even think about how it will affect you and, therefore, what you need to do to achieve compliance. Take control of your compliance – be accountable, and mitigate your risks.

But, don’t try and take everything on at once – get the easier bits done first. If you wait until you have no choice but to focus on GDPR – mistakes will be made, and wires will be unnecessarily crossed.

Plan what you’re going to do, and make sure you stick to it. Give yourself as much time as possible to achieve compliance, because it’s not just about doing it – it’s making sure your workforce understand how to do it, too.

  • Don’t just focus on the GDPR – look at the bigger privacy picture

The GDPR is part of a much bigger privacy initiative – focusing solely on compliance could mean you fall foul of the current Data Protection Act, which you certainly don’t want to do.

Familiarise yourself with the DPA, GDPR, and the ePrivacy Regulations which are slated to come into play during 2019. Once you understand all of these – incorporate them into your plan and see yourself with a more rounded picture of what privacy compliance truly looks like.

  • Clearly decide and document your basis for legal processing

This is important – your legal basis for processing comes into play in more than just the high-level compliance. It also comes into play with informing your current database of privacy policy updates.

In total – there are currently 6 legal bases for processing personal data. Most lawful bases require that processing is ‘necessary’, according to the ICO. However, if you can reasonably achieve the same purpose without the processing – you haven’t got a lawful basis. These 6 lawful bases are as follows:

  • Consent
  • Contract
  • Legal Obligation
  • Vital Interests
  • Public Task
  • Legitimate Interests

Document your legal basis for processing, and justify it.

  • Review your current candidate database

As a recruiter – you will have a tonne of data. Most of which, in all fairness, you probably won’t need. As a means of reviewing your current candidate database, you should look to dispose of the following three categories, which will probably constitute 30-50% of your data:

  • Redundant Data – remove all duplicate contacts and candidate information, because it isn’t necessary;
  • Obsolete Data – all ‘old’ records should be removed, because you no longer need them and, under GDPR, you cannot keep data because you think you ‘might need it at some point’;
  • Traded Data – any data that you have mined, found or purchased from elsewhere, because it definitely won’t be legal to process under GDPR.

Realistically, getting rid of data isn’t as bad as it seems anyway. Less data means your IT costs are automatically lower, and you have more control and reduced risk. What more could you want?

  • Train your team in Privacy & Security

To make GDPR truly work for your company – it needs to be instilled as part of your culture. It’s more than just a bunch of hoops that you need to jump through – for longevity, you need it to be adopted by everyone. Make privacy and security key cultural aspects of your organisation.

It’s as simple as appointing someone in charge of GDPR compliance – and getting them to run workshops, training, coaching and mentoring sessions with your employees. Once this training has been completed – it also needs to be repeated regularly, to keep everyone on their toes and reduce the likelihood of an issue.

  • Review your supplier contracts and ensure third-party compliance

If the data is yours – you are the data controller. Regardless of whether it is processed elsewhere or looked after by a third-party – you are responsible, and liable for any fines or breaches of data security.

In that vein – who are you sharing your data with?

Review third-party capabilities, and conduct a Privacy Impact Assessment (PIA) if necessary. Are they sub-contracting to anyone else? If so, the sub-contracts also need to comply, and you are liable for them if anything goes wrong.

Once you understand the extent of the data you’ve been sharing – issue new contracts in line with the GDPR, and clearly define responsibilities, obligations and liabilities.

However, as a rule of thumb – you should always try and reduce the amount of data you share with external partners.

  • Dedicate time, energy, resource & look externally for unbiased help

There are few, possibly even no, quick fixes to GDPR compliance – which comes back to my previous point of being proactive, and starting now. Dedicate time and resources to ensuring compliance – invest in it.

Take time to understand how the GDPR affects the whole organisation – where are the cross-functional dependencies?

Also, you should never be afraid to ask for help or advice. If you’re not competent in GDPR – ask someone who is. Find someone competent in strategic planning and problem-solving, who preferably understands recruitment, and ask them to take a look at your processes and build you a plan.

  • Evidence absolutely everything you do

Right from the get-go – document everything you do that’s related to GDPR.

Show how you work things out, dictate the reasoning behind your plan and outline exactly why you chose to do what you’re doing. Evidence-based accountability goes a long way towards proving compliant efforts to the ICO – evidence provides you with some level of leniency.

The ICO understand that the GDPR is a massive change, and definitely more convoluted than it needs to be. As such – they’re prepared to give ‘the benefit of the doubt’. To some extent, anyway. If you do something wrong, but have evidence of a Risk Gap Analysis and Mitigation Plan – what would be a fine may result in a good telling off and an audit, with the view to advise you as opposed to penalise you.


In conclusion – the upcoming GDPR isn’t something to be taken lightly.

However, at the same time – it’s nothing to be afraid of. Invest time in understanding how it works for you, and plan out exactly what you need to do. Make GDPR compliance ‘business as usual’, and you won’t encounter any problems.


Do you want to learn more about GDPR compliance in recruitment? During March 2018, our Data Protection officers are holding interactive seminars in Solihull and London. If you’d like to come along – save your space, here.

Sign up to stay connected

We want to make sure you never miss one of our events, blogs, or whitepapers. Sign up to stay connected with Cohesion