Balancing GDPR with HR: Keeping compliant when hiring

As businesses brace for the introduction of the new GDPR rules next May, recruitment is one of the key areas to be considered.

So now is a good time to review your existing policies and procedures, carry out a data mapping exercise, and work with your suppliers and partners to make sure they’re walking alongside you on the road to compliance.

Here are some of the steps you can take to ensure your recruitment processes are shipshape by next spring.

1. Review your candidate consent notices

One way to legally process data under the GDPR is to obtain the consent of the individual. For consent to be lawful it needs to be unambiguous, not assumed from inaction, withdrawn at any time and genuine.

You’ll need to have consent in the form of a positive opt-in, which means that pre-ticked boxes or any other method of ‘consent by default’ will no longer be acceptable.

When it comes to handling job applications and background screening, you must clearly explain to candidates how their personal data is being processed and gain their explicit permission. You need to tell applicants, amongst other things, about data retention periods and their rights, including the right to withdraw consent.

The Information Commissioner’s Office (ICO) has published guidance on GDPR and consent, which suggests that companies should check their existing practices and mechanisms to make sure that they conform to GDPR standards, and refresh them if necessary.

HireRight supports employers to ensure information notices and consents are delivered, and we’re continuing to monitor guidance given around GDPR and consent. We’re also looking at the questions that candidates ask most frequently, so we can make sure we’re providing the right level of information in the new sample consent forms made available to clients.

2. Map your data

Data mapping shows where your company sends and receives data and how it is being used. It should be a key part of your compliance strategy, including your pre-employment screening policy.

Data mapping should help you comply with a number of key GDPR elements, including the need to maintain detailed records of data processing to show accountability.

To create data maps or refresh existing ones, start by considering the following questions:

  • What type of data are you collecting and does it include any sensitive personal information?
  • Who is collecting or using the data, and is it sent to a third party?
  • Where is any third party located, and is the data hosted in that country?
  • When and how is the data collected and used, and how long is the data retained for?
  • What is the purpose of the collection and use of the data?

Your service providers, including any recruitment or background checking agencies, should also have conducted their own data mapping exercises. This is particularly important if they use a network of local vendors to help them conduct pre-employment checks.

3. Refresh your SAR policies

Background screening processes can be an anxious time for candidates, and an applicant may make a subject access request (SAR) to get a copy of his or her background report from the prospective employer.

The SAR process under GDPR will be largely similar to the current regime, but there are a few changes: businesses will only have one month to respond, for example, and responses must allow the person to easily identify what information is held on them and what processing has been carried out.

Take this opportunity to review your SAR policies and make any necessary adjustments, and to train your employees on the GDPR requirements and the organisation’s updated process. If you don’t already have template letters for responding to requests, begin developing them now to help streamline the process.

4. Think through data deletion  

The GDPR also includes regulations around the erasure of data, often referred to as “the right to be forgotten.” This means that someone can request the deletion of their personal data when it’s no longer needed – for example, a candidate can ask you to erase their background check from your system.

If you receive a request like this that you need to comply with, you’ll need to delete any information you hold and also instruct your hiring company or screening provider to do the same. However, your supplier may also use a third party to help with screening, so you’ll need to put a process in place to identify additional sources of information.

Again, make sure that your employees are abreast of the new legislation and provide training on dealing with “right to be forgotten” requests.

Get set for GDPR

GDPR is set to affect the flow of hiring, so businesses must act to ensure that they are regulation ready. Although HR and recruitment teams are already keenly aware of the importance of data protection, it is essential to review policies and procedures in light of the incoming legislation.

Work with your suppliers and partners to see how they can help you comply. At HireRight, we’re monitoring developments closely so that we can support our clients as they prepare for the rule changes and impact on recruitment.

GDPR may seem complex and cumbersome, but it has the potential to enhance the hiring process by ensuring companies focus on efficiency and transparency. Preparation remains the key to success: the more that can be achieved prior to next May, the slicker the transition will be.


Steve Girdler, Managing Director at candidate due diligence company HireRight


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.