Recruitment, GDPR and the DPA 


It’s almost 5 years since GDPR/changes to the Data Protection Act were enforced.

Still, it remains the case that as soon as you mention GDPR (EU) and the Data Protection Act (UK), many people switch off. 

You know they need it. You know you need to follow the rules. You may have even sat through some not-so-scintillating training on the topic.

If your understanding is still a little hazy, this article is for you.

We will keep it simple, focusing purely on how it impacts in-house recruitment and the data requirements specific to your role.

GDPR/DPA is simply about respecting data and handling it in a way that you’d expect your own data to be handled. The 6 principles are just good common sense.

The DPA has been around for some years, but if you consider the rapidly evolving technological landscape, it was woefully inadequate for present day requirements.

As with any rules, there are exceptions and it is always worth knowing them. This could be because you work in a regulated industry; or have to adhere to safer recruitment for working with young and vulnerable adults. 

The main question here is: “What specific additional data do we need to collect/process to be compliant?” Examples here would be data on convictions for monetary offences like fraud in banking roles and possessing full employment histories, amongst others.

GDPR/DPA and Recruitment 

Whether you have an ATS for capturing candidates or not, or you use a ‘hybrid’ approach (data protection nightmare), there are some fundamentals that you need to be aware of.

In an ideal world, you’ll have a Data Protection Officer (or equivalent) who has done the leg work for you.  Larger companies will have whole departments for compliance and Information Security.  They should do the due diligence around recruitment, especially if you use an ATS.  But that isn’t always the case. 

It is essential that you have appropriate policies, processes and technical measures in place. 

If you think about a privacy policy, it has to have certain content, so we’ll use this as a way of working through things. 

Beyond the basics of who you are and the appropriate contact details – for example, a DPO – we can ignore the opening paragraph of a policy with the exception of knowing your role in the process. You are the Controller (you’re stating what you want and how you want it).  If you use any technology – for example, an ATS – the provider of that is a Processor. 

Legal Basis 

There’s still a common misunderstanding around consent; what it is, and where it’s essential. 

In simple recruitment terms, we just don’t need it if we’re collecting only basic identifiable data (name, email, address etc) and information to support an application e.g. CV and/or answers to questions. 

Many people rely on either Contract (with a view of forming a contract of employment) or the slightly more blanketed basis of Legitimate Interest (there is a legitimate business interest in collecting the data for employment suitability).  Neither of which mean we need some form of consent or tick box.  Legitimate Interest has to satisfy three tests to be used (see ICO website for those).  Therefore, because we don’t need the candidate’s permission, you are free to process it within the realms of what you have stated further down your policy. 

Things get a little bit more complicated (but not much) if you are also collecting special categories data.  This IS where you need consent.  But this can be in the form of a tick box for some options, or a ‘do not wish to disclose’ option whereby the candidate can opt in to answer specifically e.g. with an age bracket or opt out with the ‘do not wish to disclose’.  We’ll come on to what you are collecting next. 

What you’re collecting, from whom, why, how long do you need it for, who will access it, and through what methods.

It’s vital that you only collect what you need for the purposes you state.  No more, no less! 

Don’t be too vague either.  We may collect this and we may collect that is your way of covering yourself, but it isn’t best practice. 

As part of this, you need to work with your DPO or equivalent (if possible) and map out what you want to collect, why and what happens to it along the way.  Often thought of as a data flow diagram or data mapping.   

Things to think about: 
  • The beginning, middle and end of the recruitment process – what do you need and when e.g. someone’s NI Number isn’t needed at application stage.  Right to work for interviews – where will that be stored? Onboarding – bank details, HMRC new starter.  
  • Connecting software – HR system, third party video interview software etc etc.  Where do they store data? 
  • Where and how do you store the data in the office environment as well as any software 
  • Data retention – how are you going to dispose of it and when.  Will everyone be on the same timelines, or will unsuccessful candidates be dealt with sooner?  You have to state how long you will keep it for and it has to be relevant and reasonable (legislation may also determine duration) 
  • Reporting – what stats do you want to get, especially around ED&I 
  • Do you have any pledges – Armed Forces Covenant, Disability Confident, % gender/ethnicity/ LGBTQ+ for some or all roles?  How will this manifest itself and who should see it?  Many of these are often put under the umbrella of the Rooney Rule. 
  • Convictions – can they/must they be asked for? 

Mitigation of any risk to the data is everyone’s problem (after all, we’re all responsible in the eyes of the law).  But effective training and best practise for the human elements will generally get this to an acceptable or ‘no risk’ level.  Anything tech related should come from your IT or InfoSec Team – talk to them.  They won’t bite.  

So, now you know what you want and why, this could be summed up quite easily: 

E.g. As part of the recruitment process via an online application form, we will collect the following information, so that we can establish your suitability for the post, and to be able to contact you during the process; 

  • Name 
  • Address 
  • Email 
  • Tel 
  • CV and answers to any questions along with any other information you provide in support of your application in a statement 

We also collect special categories data for reporting purposes, so that we can ensure we have a diverse workforce. 

At this point, if you do have any pledges, now is the time to mention them with justification as to why e.g. we are looking to improve diversity within our Senior and Board roles by employing more people who are ……. As we are statistically under-represented in these areas.  Or, this could be placed in your application form

Rights and complaints are pretty standard, so we can leave those as a given ‘footer’ to any policy. 

Frequently Asked Questions

Q. What’s the score with agency candidates? 

A. An agency should be specific about where data is going.  “A large retailer in the North” isn’t good enough.  They only have a limited time to inform the candidate of where there data is going/has gone to. 

The Agency is a Controller for their own database, but a Processor for you. 

The assumption is that anyone at the agency may be involved in recruitment and should know how to handle data.  You should have a compliant agreement in place. 

Q. Can I share CVs and applications internally, even if it’s for a different job? 

A. Yes, you can share CVs/data internally (agency or no agency).  The understanding would be that anyone there could see it, not just say the recruiter or specific hiring manager.  The assumption being that everyone is ‘signed up’ to handling data correctly.  If it was going overseas, that could be a different matter.  But as far as the candidate is concerned, their data will be handled correctly by you, the company.  

From a best practice point, the client should tell the agency or direct candidate that they are also considering them for another role and actually, would they be interested.  Otherwise, it’s wasted time on both sides, plus you’re sending data around needlessly. 

Q. What’s the best way to send applications to Hiring Managers? 

A. If you use an ATS, try and keep everything in there.  Provide access on a need basis. 

If you get applications into an inbox e.g. from Indeed, Totaljobs or other means, then make sure you all have deletion rules set on email folders.  The same should be done for Download folders via Active Directory (your IT can set this). 

If you then forward applications, make sure your Hiring Managers know the rules. 

If you still receive paper-based applications, scan and email, and then destroy the original where applicable. 

Never send to private email addresses or anyone outside of your company (unless permission has been obtained or your privacy policy says who). 

And please please please, make sure any printed out versions of CVs, applications and paper notes e.g. interview notes get properly disposed of (shredded) as soon as they are done with.  If interview notes need to be scanned and stored, then make sure that is done as soon as possible. 

Q. Do I need a third-party processor agreement if using other tech? 

A. You need a GDPR/DPA compliant contract/terms with any tech vendor you use where they are processing data on your behalf.  An additional third-party processor agreement (beyond the contract) is often a waste of time and a tick box exercise.  Invariably, you’re trying to shoehorn in your favourable indemnity terms that aren’t actually required.  The legislation is clear on who is accountable in the event of something going wrong and what you can do when fault is proven, so getting into legal wranglings over this can just slow down the whole process, especially if you are starting from scratch or with new providers of software.   

The only time you need a TPPA is if your contract/terms were done pre 2018 and aren’t therefore compliant.  Then a simple agreement or addendum stating the responsibilities of a Processor (that they then sign) is required. 

Q. What happens if we have a breach/get things wrong? 

A.  If you have a DPO, they will know what to do.  Always follow any internal processes.  Don’t panic and go telling the ICO or the candidate/data subject straight away.  It may not be required and it may not be your responsibility to tell them. 

Facts and evidence (dates, events) are key and need to be recorded accurately. 

Q. What if we recruit in other countries? 

A. Most countries that have branches in other countries have ‘Binding Corporate Rules’ that the staff in those countries adhere to.  You may also have offices in countries that have pre-existing agreements or adequacy decisions.  It comes down to treating the data with respect and having appropriate policies, processes and technical measures in place. 

Q. Are there any silver bullets for GDPR/DPA? 

A. Only that common sense prevails!  If in doubt, ask.  And always think, how would I like my data to be treated?   

Also remember that there is other legislation that governs the way you do things e.g. The Human Rights Act 1998. 

The ICO has a good chat facility, but they aren’t always great about very specific requests.  They tend to bring it back to the logic of an article/rule without the nuance of your specific issue

Did you know we do provide GDPR training? and are also happy to discuss specific queries in the portal. Just tag Rob Baker.  He’s The Firm’s Training and Solutions Manager and a Certified Data Practitioner.


Your email address will not be published. Required fields are marked *

Trending Articles

First of all, we hope all delegates had a great time at #Firmday Manchester… What a day it...
The Careers Site Insight Report is available to download now for Premium Members. As a sneak peak, Laura...
Welcome to the February Newsletter. Our teams are here to support you with all your TA needs.