Under the current Data Protection Act (DPA), individuals already have a number of rights relating to their personal data.

The GDPR will strengthen some of these existing rights, and introduce some new ones too.

What does this mean for in-house recruitment teams?

 When the GDPR comes into effect next May, you will need to make sure you are aware of your candidates’ rights in relation to their personal data.

Crucially, you will also need to ensure that your team has processes in place to manage candidate requests effectively, and in line with the GDPR requirements.

Your candidates will have the ‘right to be informed’

When you collect and process individuals’ data, you must ‘provide fair processing information’ to them.

One of the most effective ways to do this is through your privacy notice. Your privacy notice must be written in plain language and should include transparent details about how you process personal data. For a checklist about what to include in your privacy notice, turn to page 6 of your GDPR guide.

If you are collecting information from candidates directly, e.g. through an online application form, you must ensure they can easily access your privacy notice on your careers site.

If you have obtained candidate data indirectly, such as a recruitment agency or social media sourcing, you must contact the candidate(s) in question within one month to inform them that you are now processing and storing their data. Include a link to your privacy notice in this communication.

Action points:

 Review your privacy notice and ensure it includes all the information required by the GDPR.

  • Is your privacy notice clearly accessible to candidates on your careers site?
  • Do you have a process in place to contact candidates whose personal data you receive indirectly, within one month?

Your candidates will have the ‘right of access’

Under the GDPR, your candidates will have the following rights: To obtain confirmation that their data is being processed, to access their personal data, and to have access to any other information relating to their data. These rights should sound fairly familiar, as they are similar to existing ones under the DPA.

The GDPR will introduce two significant changes, however.

Under the DPA, you could charge a £10 subject access fee to candidates. The GDPR, on the other hand, states that you must provide any requested information free of charge. There are instances when you can charge a ‘reasonable fee’ – check out the ICO guidance for more information about this.

The second change is that the GDPR has introduced a shorter response time to comply with access requests from candidates. You will have to provide requested information without delay, and within one month.

Action points: 

  • Review your current processes: If you received an access request from a candidate, could you quickly and easily locate their information and respond to their request?
  • Does your candidate have a secure way of accessing their personal data – such as through a self-serve candidate portal? If not, consider exploring this option.

Your candidates will have the ‘right to rectification’

If a candidate asks you to correct or update their personal data, you must do so within one month. If you have shared the personal data with shared parties, you must also inform them of the update.

Action points:

  • Review the way you hold personal data – could you quickly and easily rectify a candidates’ information if you received such a request?
  • Explore options for allowing candidates to update their own information, e.g. through a candidate portal.

Your candidates will have the ‘right to erasure’

This right may be better known by its other name: ‘the right to be forgotten’.

Essentially, your candidates can request the deletion of their data. The GDPR sets out a list of reasons why individuals can ask for their personal data to be removed, which you can find on the ICO website.

You’ll also find a list of circumstances where you can refuse the request of erasure in the ICO guidance.

Action points: 

  • Familiarise yourself with the reasons and circumstances for erasing and refusing to erase your candidates’ personal data.
  • Review your processes – should you always delete data, or should you consider minimisation or anonymisation in some cases?
  • Consider how you will report on actioned erasure requests, should you ever be audited.

There are four other rights that your candidates will have under the GDPR.

These start to get a little more complex, particularly around ‘data portability’ and ‘automated decision making and profiling’. To find out more about these rights, we highly recommend the ICO’s guidance.

The next step for you and your colleagues is to begin reviewing your processes.

If you’re using an ATS, are you confident that it will support actions like updating candidate information or recording requests effectively?

And if you’re managing your recruitment through spreadsheets, do you have strong enough manual processes in place to respond to candidate requests quickly and easily?

Education across teams is also essential, so ensure you discuss your responsibilities around candidate requests with your colleagues.

Find out more

GDPR preparation: Where do you begin?

How will the GDPR affect your talent pools?

Are you aware of the GDPR’s core principles?


Disclaimer: The information in this blog post concerning technical legal or professional subject matter is for guidance only, and does not constitute legal or professional advice. Always consult a suitably qualified lawyer on any specific legal problem or matter.

About the author

Tristan Potter

Tristan has a decade's worth of experience writing content and copy for organisations across Bristol and the Southwest of England. He has written on a diverse range of topics, including technology, philosophy, politics, and recruitment. His writing has appeared in The Drum, HR Grapevine, and The Guardian, among other publications. He joined Hireserve in March 2022.