GDPR for recruitment agencies

What does GDPR mean for the recruitment industry?

The introduction of GDPR has had a significant impact on how recruitment agencies collect and handle candidate data. Ensure you’re compliant with a guide from Cheeky Munkey.

Intended to unify and strengthen data protection procedures across the whole of the EU, the introduction of GDPR – General Data Protection Regulation – guidelines came into effect on 25th May 2018, leading to significant changes in recruitment industry practices.

Impacting any business that collects, processes and uses personal information, in the recruitment industry GDPR regulations provide candidates with more control than they have previously had over what recruitment companies can do with their personal data.

Why was GDPR implemented?

The new GDPR framework brings the existing data protection legislation – the Data Protection Act 1998 – up to date with the changing ways that data is now used.

The previous legislation is wholly out of date as it was established before internet usage and Cloud-based systems became commonplace.

The associated risks of data exploitation  – including cyber attacks – should be reduced by increasing the security around data protection legislation, plus stricter enforcement and prosecution measures will be introduced for those that breach the new regulations.

Recruitment industry compliance

The new regulations specify that candidates must provide their explicit consent for their personal data to be collected and used, or alternatively recruiters will have to demonstrate a legitimate interest for collecting candidates’ personal data.

Candidates can also now object to the processing of their data for profiling purposes and they can request their personal data be deleted when it’s no longer required at any point.

Penalties for non-compliance and data breaches are considerable – with a fine of up to £20 million or 4% of a company’s global turnover – whichever is higher.

There is no accreditation or certification you can publish on your site to show you are GDPR compliant, but you should ensure you display the intent that you are doing everything you can to provide transparency around how you handle and process your candidates’ confidential data.

While as yet there have been no significant or highly publicised GDPR data breaches, it’s imperative to ensure your recruitment company is fully compliant.

Cyber Essentials is a Government-backed industry support scheme that helps protect against the threat of cyber attacks. Recognised by the Information Commissioner’s Office (ICO), the scheme provides certification to demonstrate your commitment to ensure cyber security.  It can also mitigate ICO fines if you suffer a data breach.

A Cyber Essentials certification is a beneficial first step towards GDPR compliance. The additional security controls could prevent around 80% of cyber attacks and may also reduce corporate insurance premiums.

Tips to ensure GDPR compliance

To ensure your business is GDPR compliant, every new candidate should be made aware from the outset of your intentions and purpose for storing their data.

All candidates should understand and agree to your data policy and guidelines at the point of registration – whether in person or online. You must not rely on an auto opt-in feature – candidates must consciously confirm they agree to you collecting their data.

Candidates must consent to you storing their data, or passing it onto a third party – in this case, your client.

You should always keep auditable proof of your candidates’ agreement to share their details with a third party who manages or accesses data on your behalf. Automating this process will save time and also ensure you have the correct information to hand as and when you need it.

Any candidate can request to be ‘forgotten’ or removed from your database at any time, so you must have a robust internal process in place to ensure this is actionable.

Candidates must consciously opt in to any email or SMS contact and you must be transparent about how and when they opt in. You must not auto-opt them in without their consent.

You should document every point at which a candidate shares their information with you, alongside details of your existing data management systems.

You must identify how you are currently storing and collating candidate information, alongside any areas where you need candidate consent or where you’re responsible for holding candidate data. This includes databases, website registrations, event lists, timesheets and any payroll or billing information.

Clarify all personal candidate data you hold, where it came from and who you have shared it with. GDPR legislation states you must maintain records of how you process data, so if you’ve shared candidate data with another agency, client or payroll company then you must let the candidate know.

Accountability for how you process data is one of the key principles of GDPR, so you must be able to prove your policies and procedures comply with the updated data protection regulations.

You must also ensure every member of your team is aware of what they are required to do to ensure data compliance. Full training is recommended to ensure there are no areas of confusion.

Centralising and simplifying your data management will make it easier for you to monitor and maintain GDPR guidelines across your business.

You are also likely to need to update your company terms and conditions and privacy policy to ensure compliance. Your terms should specify:

  • Your reasons for storing candidates’ personal data
  • How you store candidates’ data
  • How long you keep candidates’ data
  • The rights candidates have to access their personal data
  • The right for candidates to request that their data is deleted from your databases

Transparency within your terms and conditions is crucial, as candidates should be aware of why you want their data and what you’ll use their data for.


Under GDPR regulations, your company privacy policy must:

  • Include your legal right to process information
  • Specify your data retention period
  • State how candidates can complain to the Information Commissioner’s Office (ICO) if they’re unhappy with how you handle their data

GDPR requires you to ensure your privacy policy is readily available to candidates.

You should ensure you have adequate internal procedures in place to safeguard against a data breach.

In the event of a data breach, GDPR states you must notify the Information Commissioner’s Office (ICO) as soon as you are aware of the breach, so you must ensure you have the right processes in place to detect and report it.


For further information on how we can assist you with GDPR compliance, including:

  • Assessing business risks and formulating policy documents
  • Ensuring that your IT forms the core of your GDPR compliance and security solutions
  • Training staff in compliance
  • Demonstrating how your CRM can automate processes
  • Dealing with incidents should they arise
  • Handling operational issues

please get in touch – we will be happy to help.

Need IT support?
Get in touch with Cheeky Munkey