New recruits to GDPR

Recruitment agencies have been seeking expertise to shore up their policies and procedures around data protection and General Data Protection Regulation compliance.

When you consider that recruitment agencies are effectively ‘data businesses’, handling personal details day in and day out, it’s no surprise that they want to ensure their stall is in order.

It’s a huge sector. According to research, the number of newly-registered recruitment agencies in the UK rose at its fastest rate ever in 2017, with 9,001 starting up that year. An average of 818 new agencies registered each month during the past year. The number currently trading stands at a record 35,275.

Personal data, including name, phone number, email address, a photo and salary information may typically be stored centrally on a database system. It may also be kept separately by individual recruiters on phones or tablets.

GDPR impacts how personal data can be acquired, stored and used. Even though a candidate may post their information on a job board or LinkedIn, that doesn’t give a recruiter carte blanche to download and process that personal information.

To obtain permission, recruiters are required to confirm to the data subject exactly what their personal data will be used for, who specifically it will be shared with, where it will be stored and how long it will be stored.

Consent is required for each specific purpose and the option – and method –  to withdraw consent clearly demonstrated. This is significant for recruiters working with vulnerable individuals where the rights of those individuals will need to be specifically stated in a way that is easily understood.

GDPR makes it harder for recruiters to have arm’s length relationships with candidates and a lot more effort will need to be put into developing robust recruitment processes that meet the guidelines.

When it comes to adopting GDPR best practices, one of the biggest hurdles is making sure everyone in an agency knows what’s required of them. If everyone is still working in silos, with different databases, from Outlook folders or spreadsheets, then meeting the GDPR requirements becomes  extremely difficult.

It’s an opportunity to consider centralising and simplifying data management, to make it easier to monitor and maintain GDPR guidelines.

Candidates have the right to know why you want their data, and what you’ll use that data for so a GDPR-friendly set of candidate-facing terms.

An agency’s privacy policy is something else that may need updating. Under the GDPR, it needs to include a legal right to process information, what your data retention period is, and how candidates can complain to the Information Commissioner’s Office (ICO) if they’re unhappy with how you handle data.

GDPR requires this updated privacy document to be written clearly, concisely and to be readily available.

By law, privacy policies, terms of use and candidate agreements will have to be written simply and without screeds of small print. Candidates also need to be informed on how exactly you plan to use their data – so no pre-ticked boxes.

A data breach means a candidate is likely to suffer damage in the form of identity theft or a confidentiality breach. If this should happen, the Information Commissioner’s Office (ICO) must be notified. If a data breach does occur, ensure that the right processes are in place to detect, report and investigate it.

Candidates must give explicit consent – or recruiters must demonstrate a legitimate interest – for personal data to be collected and used.

Candidates can object to the processing of their data for profiling purposes and they can request their personal data be deleted when it’s no longer required at any point.

Adding in agreed and reasonable retention timeframes of personal data is good practice, too.

For businesses found not to be adhering to the ICO guidelines or working with GDPR best practices, there will be penalties: they could end up with a bill of €20 million or 4% of global turnover – whichever is higher.

So, it’s clear why recruitment agencies – and every business handling personal data – must be clued up and switched on around the new regulations, adhering to GDPR to the letter, and being able to demonstrate compliance.

GDPR is designed to protect the rights of 750 million people across the EU and puts a huge new focus on data protection now and this is the new norm.

Digital businesses and digital lives need it as a set of rules that reflect the nature of our modern world where data must be processed and stored with due care and attention, with the user placed firmly at the centre.


By Austen Clark, Managing Director,  Clark Integrated Technologies

The largest data protection, privacy and security event of 2020, now available on-demand!

Featuring four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths, PrivSec Global is now available to watch on-demand.

You can access the content from all four days, by registering for access to our PrivSec Global platform below.

Learn More and Register

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.