Recruitment businesses and the new data protection law

  1. Home
  2. Latest
  3. Recruitment businesses and the GDPR

Recruitment businesses and the new data protection law

Recruitment businesses and the new data protection law

The General Data Protection Regulation (“GDPR”) is an EU Regulation that will come into effect on 25 May 2018 and will replace the Data Protection Act 1998. It is the biggest change in data protection law in 20 years and will have a significant impact on those businesses in the recruitment industry.

Key Considerations for Recruitment businesses


The GDPR tightens up the requirements for obtaining consent from individuals in order to obtain and use personal data. Old consents (pre-May 2018) will not necessarily be valid once the GDPR comes into force (25 May 2018 onwards). To be valid, consent must be, freely given, specific, informed and unambiguous. This means those databases which have been developed without correct consents may need to be re-permissioned (i.e. new compliant consent obtained.)

Data retention

Recruitment companies typically keep large amounts of candidate data, typically for an indefinite period of time. Retaining data in this way is arguably not compliant with the current law and is highly likely to fall foul of the GDPR. It is not reasonable to retain data indefinitely in the hope that a role may come up for a candidate at some point in the future. Recruiters will need to review their data retention policies to make sure that they are holding personal data for no longer than is necessary.

Data protection officers

The GDPR requires all businesses to have a data protection officer if they meet certain criteria. In essence this criteria is: does the business undertake regular and systematic monitoring of data subjects on a large scale? Or does the business hold large amounts of sensitive personal data? For most recruitment business the answer is likely to be “yes” to both as they often hold a lot of sensitive personal data regarding candidates. The DPO needs to be a person that holds sufficient expert knowledge to look after the data protection needs of the business.

Security breach reporting

Businesses will be subject to the new compulsory breach reporting requirements. This requires the business to file a report to the Information Commissioner’s Office within 72 hours of suffering a data protection breach. Failure to do so can result in large fines.

Sourcing candidates

Recruiters will also need to consider how they source their candidates. Taking candidate details and contact information from the internet (such as their current employer’s website or Facebook) in order to approach them for a new role, is likely to breach the GDPR and the current law; the risks are amplified by the penalties in the GDPR.


Currently, fines are capped at £500,000 per offence. Under the GDPR, fines are capped at €20m or 4% of group worldwide turnover, whichever is higher.

Our data protection team is working with businesses from all sectors, sizes and turnover to help get them GDPR-compliant. If you would like to find out more about the GDPR, contact Matthew Holman.