GDPR: the general data protection regulation


On the 25th May 2018 new rules come into force for how all businesses hold data on people. The rules will be far reaching and are designed to bring the whole of the EU into line with other countries, such as Canada and Australia, who already have these standards in force. This EU directive is directly applicable, means that there is no UK legislation necessary. Yes this is an EU law and we are still in the EU. It is widely expected that, assuming Brexit goes ahead, the UK will retain these rules in full.


There have been some very high profile breaches of data in recent years, one of the biggest being the Talk Talk/Carphone Warehouse breach a couple of years ago. My own details, I discovered recently, were stored by this company from when I bought my first carphone in 1989. I certainly didn’t mind and there were no problems. However, retaining data for this length of time without permission is soon to be outlawed. Data breaches are still likely to occur even though organisations that hold data will have to show that they have done everything realistically possible to stop them. Data breaches would be far less serious if unnecessary data was not retained.


As the rules will be new, it will be some time before case law develops to see how the courts are going to  interpret them. However, it would be very unwise for organisations to ignore them as the fines for non compliance are up to 20m euros or 4% of global turnover.

These rules will have serious consequences for the recruitment industry and also for recruitment departments who hold data on job applicants for potential future use. This data can still be retained but employers and agencies will have to obtain permission from the candidates to retain their details. In many cases such consent will be implied. For example, if I send my CV into ABC plc for a job as a store manager, I would have clearly consented for ABC to retain my details during the recruitment process. I would clearly not have given them permission to keep it forever. So, if ABC keeps my details, say for a year and then contacts me again, it is arguable that under the new rules it has retained my data for too long. For sure, if ABC pass my details to another company, even within the same group, it is in breach.

So what should employers and agencies do?

One of the principle requirements will be to appoint a data protection officer within the organisation. In large companies this probably already exists but it might be wise for HR departments to have their own. Agencies will normally appoint their IT people or a senior director to assume this role.

The data currently being held should be reviewed and if there is no good reason for retaining it, it should be deleted. For the data that they wish to be held, the organisation should assess whether or not that person has consented for it to be held. Again, there are going to be grey areas.

If all the details that are held are published on Linkedin then it could be argued that this information is already in the public domain — so, no problem. But what if that candidate was interviewed and rejected? If the interviewer’s notes are held with the CV, this information may not be in the public domain and the organisation must assess for how long that information could be retained.

Automated selection or rejection will not be allowed. There has to be some human intervention in the process. So, killer questions on a recruitment website that automatically reject applications will no longer be viable. Similarly, no automated or predetermined tick boxes will be allowed for marketing purposes. Individuals must have the free choice to do this themselves. Some automated decisions will be allowed, but these are largely going to be where authorised by law for purposes of fraud prevention.

The biggest problems for organisations will occur when data is breached, That is to say, the data is made public either by accident or by hacking. The organisation will have to show that the data they were holding was reasonable. If a CV had been submitted by an agency to a client, then the details of that candidate should only be retained for the period that the CV was under consideration. Clearly, the agency would not have given permission for it to be retained any longer, and in many cases will expressly forbid it. Therefore, recruitment agencies and consultants will undoubtedly have to review their terms and conditions.

It would be unlikely that an individual could claim damages against an employer or agency unless they could prove that they had suffered some sort of loss. For example, if it assisted a criminal with identity theft. Therefore, employers and agencies should be very careful about retaining NI numbers and even dates of birth.


1. Take this issue seriously and if you are not clear, take proper advice.
2. Appoint a data protection officer as soon as possible.
3. Review all the data you currently hold and assess: a) do you need it? If not, delete it; b) would you think the owner of those details (the candidate) believes they have consented? If not, you should either obtain that permission or delete it.
4. Think about how much you need to hold. Dates of birth are not necessary and, if you have retained passport details or NI numbers, set up a system where these delete themselves after a reasonable period.
5. Recruitment agencies should include in their terms and conditions that CVs submitted should not be retained by the client any longer than necessary for the purposes of processing for a particular job without the written consent of the agency, and in any event no longer than six months.

Tash Kitsis

Friday, 10 November 2017 at 10:20am

Post comment


No comments posted yet.

Post a comment ?

All posts are monitored and can be moderated if required.

Once your comment is posted, you will notified by email when it is moderated.