With nearly one full year of GDPR under our belts, we look at the impact it has had on the recruitment industry to see if it has changed it for better or for worse. Check out our GDPR refresher below.

A GDPR reminder

Just in case you need refreshing, General Data Protection Regulation (GDPR) is an EU legal guideline that affects how businesses collect, store and discard data. The regulation came into effect in May 2018 and replaced the 1995 European Data Protection Directive. GDPR’s main aim is to improve fairness and transparency, to keep business within the law.

For the recruitment industry, it will have transformed your processes. Whether you’re sourcing or receiving applications for an open vacancy, you need to gain consent from all candidates before you’re able to store and process their data. If you’re unsure, this flowchart provides further detail.

GDPR and recruitment?

With the new regulation, recruiters have found that they have had to change their processes to comply. From how you source potential leads to how to nurture your talent pools, even the processes for screening and discarding candidate’s CVs have had to be altered. One of the main things that were brought in was the need for explicit consent to store candidate data.

Recruitment Consultant, Holly Riordan from London confirmed:

“We had a big data cleanse of the candidate and client data we held on our applicant tracking system. We had over 80,000 candidate records on the system prior to the GDPR cut off date. We now have circa 25,000.”

“I wouldn’t say our processes have slowed down, but there are more processes to follow. For example, when a candidate applies to an online job advert or registers with a CV including their personal details, all candidates must be sent a legitimate interest email. This requires a response before we can even begin to engage with them.” 

To help recruiters manage their processes, it’s a good idea to factor in a reasonable amount of time for candidates or clients to respond to consent. If you’re struggling to kick start the process, make sure the consent requests or legitimate interest emails are clear, concise and actionable. A simple tick answer box can collect the information you need. For example:


Hi [candidate’s name],

We found your professional profile and think you could thrive within our company.

Before we can discuss any potential job opportunities you may be interested in, under GDPR regulation, we need your consent to confirm that you agree to be contacted for recruitment purposes.

Do you give consent for your personal data to be appropriately stored by our company and that you understand that you can object and ask for your data to be deleted accordingly at any time?

ꗃ Yes

ꗃ No


When dealing with large amounts of data, it can be overwhelming knowing who has given consent, where you’ve requested or what profiles need to be deleted. Technology can help you manage this process. Our integrated platform has an easy to use consent workflow that helps you stay GDPR compliant. From automated consent emails to providing a clear message to candidates on how their data is stored; technology can condense your workloads.

How is GDPR going so far?

With the threat of massive fines (some in their millions), GDPR is something that is and should be taken seriously. This said some businesses have failed to shape up their processes.

A study from the European Data Protection Board found that there were over 206,000 cases of GDPR complaints and breaches in the first 9 months under the new law.

Search giant, Google was among the first to be fined. A colossal €50million was ordered by the French data watchdog, CNIL who concluded that Google failed to meet transparency, information and legal processing requirements.

Whether it’s companies hiding their mistakes well or individuals unaware of who has their data and how it can be used, GDPR across the board is still in the early stages.

Matthew Cole, Employment Partner at Prettys Solicitors comments: 

“Awareness is important in this area. It’s only once individuals start to become aware of how their data can be used, will we see them start to look at asserting their rights. It’s an issue increasingly on the minds of the social media platforms. Facebook in particular, who suffered a fall in their share price as a result of the Cambridge Analytica and related scandals, and they are clearly not out of the woods yet”.

 “It is also interesting to see that similar data protection regimes are starting to be adopted elsewhere in the world. However, we all still click through privacy statements and cookie consents without reading them. I think that the law has to develop in a way that does not rely quite so much on highly legalistic notices, and makes data rights more user-friendly.”

At some stage, all recruiters will handle personal and sometimes sensitive data. This is why it’s important to make your privacy policy and processes as clear and concise as possible to help the reader understand how their data will be used.

It’s no argument that GDPR is highly complex and obstacles are beginning to arise in certain industries. For example, one of the main issues cropping up in recruitment is background checks. As every candidate has the right to refuse consent there are potential problems with gaining appropriate background checks that are a requirement for certain job roles.

Matthew Cole, continues:

 “One of the key issues is relating to those employers who want to carry out criminal records checks on candidates, but do not have the ability to carry out a standard or advanced DBS check.”

 Many employers are struggling to navigate through the Data Protection Act 2018, which deals with this issue, and is proving to be highly complex. Even those employers who do not do DBS checks may do some due diligence online, or via social media, and I think that processing that data is going to increasingly come under the spotlight.”

 “Interestingly, we have not seen many cases where unsuccessful candidates are making subject access requests to find out what data is held on them. That may well change in coming years.”

What’s new with GDPR?

Surprisingly, even though the regulation is a legal requirement, the fines are not consistent from case to case. Across the board, GDPR allows for a maximum fine of 4% of a company’s global revenue, or €20million, whichever amount is higher. However, the regulation is not specific on how to work out the scale of the breach and the amount of fine that should incur.

To tackle this, The Netherlands is the first country to introduce a GDPR fining policy by aligning fines to a four-tier category system. The fines range between €0 to €200,000 for the lowest category and between €450,000 to €1million for category 4. Whether this will improve the discrepancies from case to case is yet to be seen.

No business wants to prepare for fines so it’s important to spend time perfecting your processes to ensure you’re completely GDPR compliant.

Key takeaways

As businesses have had nearly a year to get their head around implementing the regulation, it’s even more important to continue to adhere to GDPR in recruitment. Here are some key takeaways to remember.

  • Keep on top of the latest GDPR news to make sure you’re ahead of the game with any new policies that are coming in.
  • Hire or appoint someone to be responsible for GDPR. They can manage inbound and outbound candidate information to make sure everything is stored, processed and deleted properly.
  • Make sure you clearly lay out your privacy policy and the transparency information on your website.
  • Create an automated consent email to send out to all approaching candidates.
  • Remember that tech and automated systems can help you stay organised and GDPR compliant.