GDPR, the new data protection regulations, come into play on the 25th May 2018.

Recruitment businesses who don’t prepare before the deadline will find it comes back to haunt them.

GDPR is going to have a huge effect on the way you run your recruitment business. On a day-to-day basis, your team deal with a lot of personal data. Therefore it is vital that they know, understand and comply with the new regulations.

To help you out, we’ve pulled together the five steps you need to take to become GDPR-ready.


1. Processing Personal Data and Obtaining Consent

Consent is one of six lawful grounds for processing data and knowing how and when you need to seek consent can be tricky.

The five other lawful grounds for consent are:

  • Performance of a contract with an individual: e.g. to supply goods or services they have requested, or to fulfil an obligation under an employee contract.
  • Compliance with a legal obligation: when you have to process data for a particular purpose is a legal requirement.
  • To protect the vital interests of a person: for example, when processing data will protect someone’s physical integrity or life
  • A public interest: this will typically cover public authorities such as government departments, schools and other educational institutions; hospitals; and the police.
  • Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights.

Recruitment businesses typically rely on an individuals consent to justify data processing. However, GDPR changes the legal bases for collection and processing of personal data, applying stricter requirements for consent. For example you will have to gain separate consent for processing data for a candidate if you use data they supplied when applying for a role for an unrelated purpose.

It’s wise to revisit existing processes and revise if necessary. Areas to review include candidate acquisition processes and candidate marketing. You may need to ask existing candidates to re-register and remove any candidate who have not consented. You may also need to give candidates additional clarity about how they collect and use their personal data.

2. Data Sharing Under GDPR

If you share any data with a third party company, you’ll be expected to have a more regulated data sharing policy in place.

Many recruitment agencies share their contractor data with RPO companies, umbrella companies or payroll companies. If your agency falls into this category, you’ll need to review and potentially update your relationships with all your third party suppliers to ensure they also meet GDPR’s requirements.

It must be clear to your third party providers that you own the data, and that they are not eligible to use it outside of the agreed terms.

You must also make your intention to share data clear with anyone you will be affected, e.g. your candidates.

3. GDPR Data Processing

The people who will be most affected by GDPR at your recruitment business will be those who act as a data processor. This might be the person who shares your candidate data with your payroll company, your admin assistant or any/all of your recruitment consultants.

Currently, there are only a few obligations your data processor is required to meet. However, GDPR will bring with it a lot more in the way of responsibility and requirements.

From May you will be directly responsible for your agency’s compliance with GDPR, the potential sanction and, most importantly, the consequences of your non-compliance.

To ensure you are compliant, you will need to review all of your client contracts and make sure they fall inline with the GDPR requirements.

4. GDPR Individual Rights

Under the current data protection act, individuals have certain rights with regards to how and when their data is used. GDPR continues to include the existing rights, but also includes a range of new ones.

An individual will have the right to access more information and the power to have inaccuracies rectified immediately. They also have the right to have their information removed when it is no longer used, if they no longer want to give consent and if the way their information is being processed is unlawful.

There is a new right about data portability. It allows individuals to move information held about them to another controller, e.g. a different recruiter. This must be presented in a structured, digital format for smooth transfer.

You need to consider how you will amend your internal processes to accommodate these new rights, especially the data portability one. Do this now so that you’ll meet the rights of individuals when GDPR comes into full force. It would be smart to also start to include additional protections in client contract to limit free migration.

5. GDPR Security Measures

Your recruitment business will have a duty to implement new measures that ensure a level of security that is “appropriate to the risk”. The new measures you will most likely have to implement are:

  • In the event of an incident, you must have the tools in place to quickly restore any missing data.
  • You must be able to ensure the ongoing confidentiality, availability, integrity and resilience of all the data processing systems you use.
  • You must be able to encrypt all personal data you store, and have the ability to give any data element a pseudonym if required.
  • You need to have a process in place to regularly test, assess and evaluate how effective the security measures you have in place are.

To implement the new measures you may need to amend your internal processes to comply. If you currently use, or are considering using, any CRM/ATS software, you must ensure that they are also compliant with the new regulations. If they are not, this will have a negative effect on your business.

You must also make sure your social media policies are clear with regards to what you will and won’t do with client and candidate data. Failure to do so may land your business is a lot of trouble.


For more information about GDPR, what it means for you and how to prepare, take a look at this useful GDPR infographic and download our cheat sheet below.

Prepare now, and you’ll have an easy ride in May 2018.



The information shared in this blog and accompanying eBook is true and complete to the best of our knowledge. All recommendations are made without guarantee on the part of the author and Sonovate LTD. The author and publisher disclaim any liability in connection with the use of this information.