Post-GDPR, the question on many in-house recruiters’ lips (after ‘phew’) will be: ‘What’s next?’

We’ve said before that work wouldn’t stop after the 25th May. After the initial push to meet the new legislative requirements, the focus now is on maintaining strong, sustainable and secure Data Protection measures in our workplaces.

This is the post-GDPR to-do list for in-house recruitment teams…

  1. Review your application process

By now, you should have identified your legal basis for processing personal data for recruitment purposes, and updated your application steps as a result. Perhaps you’ve added a checkbox to obtain consent or displayed a link to your privacy statement when candidates apply for a role.

In meeting your data controller responsibilities, make sure you have not unwittingly compromised your candidate experience. Now the dust has settled after GDPR, take the time to look at your application process with fresh eyes to really get a feel for your candidate journey. Ask your team members for feedback to understand if there are any tweaks or improvements you can make.

If you’re obtaining consent, is your consent statement clear enough? Is a link to your privacy notice in a prominent enough position? Are you gathering too much personal data at the beginning of your application form – information that could be saved for later in your hiring process?

  1. Establish a data subject access request procedure

If somebody submits a request to access, edit or erase their personal data, you need to be able to respond efficiently, without undue delay and within one month or receipt’ (ICO).

To do this, it’s important that you have a formal data subject access request policy and procedure, and that your team members understand what role they need to play in actioning requests.

Can you answer ‘yes’ to the following statements?

  • It is simple for a data subject to make a request about their personal data through our website or over email.
  • Once we receive the request, we know who should action it.
  • We can easily locate the information a data subject is asking about and can tell them what data we are holding, how long we will store their personal data for and why we are processing it (our legal basis for processing).
  • We can amend the subject’s data based on their request, e.g. to edit, restrict processing or erase.  
  1. Set up an ‘archiving process’

One of the core principles of the GDPR is ‘storage limitation’, and as such you should have identified a data retention period for holding candidate information.

So, what should you do with data when you’ve exceeded your data retention period?

We’ve used the term ‘archiving’ here, but you may need to delete or anonymise data depending on your circumstances.

If you are using an Applicant Tracking System (ATS), your provider should have already provided a way for you to manage your data retention. In Hireserve ATS, for example, the system automatically flags when a candidate is nearing their data retention expiry date. You can re-engage them if you want to continue holding their details in a talent pool or the system can automatically remove them, deleting their information altogether or anonymising them.

For in-house recruitment teams, anonymisation may be a more sensible option than deletion as it means you can still run diversity reporting, for example, just with personally identifiable data removed.

If you are not using an ATS, you may need to set up calendar alerts for regular data retention reviews, or rely on clever Excel formulas to identify when candidate data is reaching its limit.

  1. Train your people

Strong Data Protection practices start with your team members.

Staff need to be mindful of how and why they process data, and ensure that they do not exceed your organisation’s data retention period when storing information.

From an information security perspective, team members should also be mindful of setting strong passwords and the risks of storing hard copy and digital data. They should be aware of the importance of keeping a clear desk policy and ensuring their anti-virus and other PC technologies are up to date. It sounds simple, but these kinds of habits can often be overlooked, and it is important that the value of them is reinforced at regular intervals.

Ongoing Data Protection training should be scheduled for all team members, from those who regularly access sensitive or confidential data through to those whose day-to-day processes and awareness just need a refresher course.

You should also ensure that your Data Protection policies and procedures, and all relevant documentation, are accessible to your people.

  1. Schedule an annual review of Data Protection

This is likely to be an organisational-level review but you may also find it valuable to schedule an annual Data Protection review for your in-house recruitment team. How are your policies and procedures standing up over time? Do you need to invest in some new people training or education? And have you noticed any benefits (or, indeed, negative results) of the changes you implemented for the GDPR?

Data Protection should be an ongoing priority for in-house recruitment teams, so do ensure you make time to formally review and assess the impact it has on your organisation, and the next steps you may need to take.


Life for in-house recruiters in a post-GDPR world may throw up the odd challenge, but ultimately it is paving the way for us all to maintain fairer, stronger and more secure data handling processes.

About the author

Tristan Potter

Tristan has a decade's worth of experience writing content and copy for organisations across Bristol and the Southwest of England. He has written on a diverse range of topics, including technology, philosophy, politics, and recruitment. His writing has appeared in The Drum, HR Grapevine, and The Guardian, among other publications. He joined Hireserve in March 2022.