Search
Header navigation
laptop

GDPR: What Employers and Recruitment Agencies Need to Know

The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and introduced strict rules on how organisations collect, store, use, and share personal data. The consequences for non‑compliance are severe, including fines of up to €20 million or 4% of global turnover. Employers and recruitment agencies must review the data they hold, ensure they have lawful grounds to keep it, and adopt robust data‑protection practices.

What Is GDPR and Why Was It Introduced?

GDPR is an EU‑wide regulation designed to standardise data‑protection rules across Europe and bring the EU in line with countries such as Canada and Australia. It applies directly in the UK and is expected to remain in force even after Brexit.

The regulation was introduced in response to a series of high‑profile data breaches — including the TalkTalk/Carphone Warehouse incident, where customer data was retained for decades without clear consent. GDPR aims to prevent unnecessary data retention and reduce the impact of breaches by ensuring organisations only keep data they genuinely need.

Why GDPR Matters

Although case law is still developing, organisations cannot afford to ignore GDPR. The penalties for non‑compliance are significant:

  • Up to €20 million
  • Or 4% of global annual turnover
    (Whichever is higher)

For employers, HR teams and recruitment agencies, GDPR has major implications for how candidate and employee data is handled.

GDPR and the Recruitment Industry

Recruitment agencies and employers routinely hold large volumes of personal data — CVs, interview notes, ID documents, and more. Under GDPR:

  • Data can only be retained with consent or another lawful basis
  • Consent must be specific, informed, and time‑limited
  • Data must not be kept longer than necessary
  • Data must not be shared without permission, even within the same corporate group

Example
If a candidate sends their CV to ABC plc for a Store Manager role, they have consented to ABC holding their data for the duration of the recruitment process. They have not consented to ABC keeping it indefinitely or passing it to another company.

If ABC contacts the candidate a year later using the same CV, this may breach GDPR unless the candidate explicitly agreed to long‑term retention.

Key GDPR Requirements for Employers and Agencies

1. Appoint a Data Protection Officer (DPO)

Large organisations often already have one, but HR teams may need their own dedicated officer. Smaller agencies may appoint a senior director or IT specialist.

2. Review All Data Currently Held

Ask two questions:

  • Do we need this data? If not, delete it.
  • Would the individual reasonably believe they consented to us holding it? If not, obtain consent or delete it.

3. Be Cautious With Sensitive or Identifying Information

Data such as:

  • National Insurance numbers
  • Dates of birth
  • Passport details

…should only be kept when absolutely necessary and should be deleted automatically after a reasonable period.

4. Avoid Automated Decision‑Making

GDPR restricts automated decisions that significantly affect individuals.

This means:

  • No automatic rejection based on “killer questions”
  • No pre‑ticked marketing boxes
  • No fully automated selection processes

Some automated decisions are allowed (e.g., fraud prevention), but recruitment decisions must involve human intervention.

5. Manage Data Breaches Carefully

If data is leaked, hacked, or accidentally disclosed, the organisation must show:

  • The data held was reasonable and necessary
  • Appropriate security measures were in place
  • Retention periods were justified

Recruitment agencies must be especially careful. If a CV is sent to a client, the client should only retain it while the application is under consideration, but no longer.

Agencies should update their terms and conditions to reflect this.

Can Individuals Claim Compensation?

Individuals can only claim damages if they can show actual loss, such as identity theft or financial harm. This makes claims less common, but employers and agencies should still avoid retaining unnecessary identifying information.

Practical Advice for Employers and Agencies

  • Take GDPR seriously, the fines are substantial.
  • Appoint a Data Protection Officer as soon as possible.
  • Audit all data you currently hold.
  • Delete anything unnecessary or anything you cannot justify.
  • Obtain consent where needed and keep records of it.
  • Limit retention periods for sensitive data.
  • Update recruitment terms to prevent clients from retaining CVs indefinitely.