Back to Blog

What Is GDPR and How Does It Impact Recruitment Agencies?

by on

GDPR stands for General Data Protection Regulation, but you’d be forgiven if you thought it stood for Grief and Dismay for Panicked Recruiters. GDPR doesn’t have to be a source of stress for recruitment agencies, however. If you’re prepared and well-informed, you can be ready for GDPR and make positive changes to your business in the process.

Lucy Kendall, Director and GDPR Advisor for ComplyGDPR, presented a webinar on the basics of GDPR for recruitment agencies. Here are some of the top takeaways.

Watch the Webinar

What’s the Purpose of GDPR?

While GDPR is on the surface about data protection, it’s really about protecting the rights of people. Data privacy is a human rights issue. GDPR is the latest effort to enforce these privacy rights.

Since the enactment of earlier regulations (like the Data Protection Act of 1998), the power imbalance of data control has only worsened, with individuals finding themselves with less and less control of who has their data. GDPR is intended to right this.

Who Has to Comply with GDPR?  

GDPR affects all companies with offices in the EU and any companies processing the data of European residents irrespective of where they are in the world.

What About Brexit?

Brexit will not change UK recruitment agencies’ obligations to comply. The UK is a part of the EU at enforcement date and will continue to be subject to GDPR regulations.

GDPR IS Coming

Those who are hoping GDPR will just go away are out of luck. GDPR is effective May 25th, 2018.

What Is GDPR, Really?

The heart of GDPR is the individual and their rights, specifically the right to control their own data, which includes the right to transparency, the right to erasure and several other data-related rights. (For a more in-depth breakdown, see the webinar recording here). Here are some important rights for recruitment agencies to consider:

Right to Transparency: Every individual who has their data processed has a right to know that you have it—the right to be informed. It’s up to businesses (like recruitment agencies) to communicate what is held, why, and how it will be used.

The Right to Access: Every individual has the right to see what data your business is processing. Business will have 30 days to comply with such requests. This includes EVERYTHING you’re processing, including hard and soft copy.

What GDPR Responsibilities do Recruitment Agencies Have?

Which parts of GDPR most apply to recruitment agencies? What do recruiters need to do? Here are some of the responsibilities recruitment agencies would be wise to comply with by May 25, 2018.

  • Keep Data up-to-date and no longer than is necessary.
  • Have a legal basis for processing data.
  • Monitor and report breaches within 72 hours.
  • Take technical measures to protect data—security precautions to prevent breaches.
  • Take organisational measures to protect data—organisational policies and training in place to ensure proper data protocol is followed.

What Does GDPR Require Your Agency to Do?

Here are some tangible expectations for businesses to illustrate their GDPR compliance.

Audit: Assess the risks that you create for others in processing their data: candidates, clients, and employees

Action: Mitigate the risks that you create for others in processing their data: safeguarding, training, and data cleansing.

Document: Be able to demonstrate the steps you took. Documentation is very important.

Ultimately, GDPR is not asking you to be perfect, it is asking you to do enough to demonstrate that you respect, value and protect the personal data entrusted to you.


Want to learn more about GDPR? Register for part 2 to learn about the sticky issues for the recruitment industry.

GDPR Recruitment