<img alt="" src="https://secure.leadforensics.com/107353.png" style="display:none;">

GDPR for Business: GDPR Compliance in the Recruitment Industry

Callum Dawson

  • 19 Sep

Recruitment, GDPR

 As a recruitment agency, data protection has never been more important.The GDPR has had numerous industries scurrying to become compliant, and it’s no surprise why. The General Data Protection Regulation carries some hefty charges for non-compliance, with maximum fines of up to €20 million or 4% of global turnover.

Of all the industries affected by GDPR, it is recruitment sector businesses that will notice the most change. In fact, research from leading recruitment specialist Robert Half UK reveals that two-thirds (66%) of CIOs will actually hire additional, permanent staff to handle GDPR compliance.

No room for error, then. The nature of recruitment is built upon the handling of data, and the stated consent to handle said data is now more vital than ever.

Luminate Digital can help you prepare. Contrary to what you may have heard, the GDPR does not spell the end of recruitment as we know it. This is not ‘end times’ - in fact, with a little preparation, it’s going to be business as usual.

As part of our GDPR Business series, here’s a rundown of what recruiters like you need to know.

The GDPR comes into effect 25 May 2018 and has been designed to better protect the rights of around 750 million people across the EU. It will strengthen the existing data protection laws that date back to the Data Protection Act 1998, which as you can imagine are now outdated.

We’ll begin with a clear definition of what GDPR is.

What is GDPR?

From May 2018, your job candidates must now give explicit consent for their personal data to be collected and used. Once GDPR has been rolled out, candidates can object to the processing of their information and can even request their data be deleted if it’s no longer of use.

You can find a more in-depth breakdown of the GDPR in our blog post on how it impacts business.

How are recruiters affected?

The recruitment process has become almost synonymous with the social media platform LinkedIn. This, of course, is par for the course as it is a public, social platform whereby users supply their own information.

But remember that this is surface information. To the eyes of GDPR governing bodies like the ICO, companies who maintain a database of personal data are ‘data controllers’. Personal data is defined by the European Commission as “any information relating to an individual, whether it relates to his or her private, public or professional. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”. 

These are just some specific areas the GDPR are bolting down on. In terms of the recruitment industry as a whole, you’re looking at some pretty significant changes that can affect how you connect with job candidates and businesses alike.

We’ve boiled the changes down to five particular areas; consent, sharing of data, processing of data, rights and security.


A central tenet of GDPR is that greater transparency between companies and individuals is needed. This is essential. You will need to state in clear terms when and why an individual’s data is being collected and processed. 

Once you have consent and the legal basis for data collection is justified, you can then proceed to work with your candidates.

There’s more, however. As we said earlier, recruitment sector businesses usually rely on an individual’s consent to process their data, whether this is through the medium of LinkedIn or otherwise. 

Come May, stricter requirements mean that getting genuine consent must be clearly separate and independent to other matters. Separate consent must be sought for separate processing activities. 

For example, when a candidate consents for their details to be used for one vacancy and then is interested in another, their consent will be required for the other vacancy.

All in all, companies will likely have to take a closer look at their methods to bring them up to date. Prepare to ask your existing candidates if they are consensual, and remove those who have not.

Sharing of data

Your agency may hold relationships with third-party bodies, with whom you may share data about your candidates. This will need to be heavily regulated from 25 May.

This includes your contractual ties to third-party groups, too. They have to be GDPR compliant the same as you. You will also need to implement GDPR compliant policy for job boards too, to ensure consent when using applicants’ data.

Processing and Controlling of data

This is where the GDPR changes will be more significant.

The role of a ‘data processor’ is explained in the GDPR Guide we’ve written as part of our new GDPR Toolkit

“The data controller is responsible for and will be able to demonstrate compliance with, GDPR principles regarding how personal data is processed. These responsibilities include lawfulness, fairness and transparency, data minimisation, accuracy, storage limitation, integrity and confidentiality of personal data.

The data processor, when completing processing on behalf the controller, can only do so by providing adequate guarantees that they will implement appropriate technical and organisational measures that meet GDPR requirements.”

The onus is on your agency’s data controller to review your contracts with clients and amend accordingly and ensure the data processor carries out those processes. These parties work together, and any non-compliance fines can be equally levied to both parties.


The existing Data Protection Act (1998) was built on protecting the rights of EU citizens, and the GDPR seeks to strengthen that. From next May, individuals will have much wider rights of access and information.

Here are a few particular updates that the GDPR will be rolling out: when a candidate’s data is no longer needed, the candidate has the right to request it be erased. Similarly, a candidate also has the right to restrict the processing of data if its accuracy is contested.

Another important change to candidate rights is the portability of data. GDPR means that a candidate will soon have the right to move their data to another controller (in your case, recruiter).


Paramount to the whole motivation behind GDPR is safety.

Your internal processes will face some upheaval to accommodate GDPR, but normal service will soon resume. Some of the security measures you will want to oversee are as follows:

  • The strong encryption of personal data records
  • Ensuring confidentiality is maintained, as well as the availability and reliability of data processing systems
  • If an incident occurs, you can restore data in a swift manner
  • You have a procedure in place to regularly test the effectiveness of your security measures

To comply with these areas of GDPR, you should keep in mind that whatever software or processes you introduce within your business before 25 May will be rendered null if they are not GDPR-friendly.


Let us remind you - GDPR will not spell the end of the recruitment industry! Far from it. Yes, the industry will be affected, possibly more so than others.

Fortunately, Luminate has a whole host of GDPR content to ease you through the process. You can take a look at some in our GDPR Toolkit for Businesses, complete with an:

  • Infographic on Consent and GDPR
  • eBook on GDPR Compliance
  • A checklist to help you prepare for the deadline

Download your all-in-one toolkit to prepare for the upcoming GDPR changes.


Resources and Insights | Luminate Digital