This is not a complete ‘to-do’ list, but it’s a good start.

If you’ve ticked everything off already then you’re likely to be in excellent shape. If not, use it as the starting point of your GDPR action plan.


  • Yes, we have undertaken our data mapping exercise

Think about all of the personal data entering a typical in-house recruitment function. Direct applications and CVs, agency-submitted candidates, social sourcing and referred candidates…

A data mapping exercise is the processing of understanding and documenting the data flows of an organisation. You’ll need to think about every element of your hiring activity and then document how, when and where you collect and process personal data at each step.

Ideally, this activity should be the first step in your GDPR action plan.


  • Yes, we know what to put in our privacy notice

Transparency is a key principle of the GDPR, so there will be a much greater emphasis on your privacy notices next year.

In-house recruitment teams should make sure that their privacy notice is accessible to candidates. You should use this statement to be utterly transparent about how, why, when and where you will be collecting, storing and processing candidates’ personal data.

The GDPR sets out a list of information you need to include in your privacy notice. Turn to page 6 of your In-house Recruiter’s Guide to the GDPR (or download it here) for more information.


  • Yes, we have identified our legal basis for processing

Under the GDPR, you need a legal basis for processing personal data.

The GDPR sets out six legal bases, and you need to identify which is the most appropriate for your purposes. You will then need to document this in your privacy notice.

Be aware that there are different considerations for public authorities, and there are also alternative legal bases for special category data. The ICO has a goldmine of information about this which is worth a read.


  • Yes, we have undertaken a data retention assessment

An in-house recruitment team is likely to store a significant volume of candidate data in talent pools for future roles or other purposes.

The GDPR does not set out any data retention limits or timeframes, so organisations will instead have to identify what they believe is an appropriate retention period. To do this, in-house recruitment teams should undertake a data retention assessment. Assess the potential risks of storing data against the business purpose and benefit, keeping in mind your candidates’ rights and what is fair to them.

Following this, organisations should draw up a clear data retention policy.

  • Yes, our team is on board

The GDPR will impact almost every single business function and department in an organisation. It needs to be high on the agenda of board meetings and, longer term, organisations should schedule annual GDPR reviews.

It is essential to ensure that the GDPR is a priority across your organisation, right from your Board of Directors to your Apprentices. Ensure you have a steering team in place to drive key actions and liaise between different departments.

As we approach the GDPR coming into force, you will also need to consider how you are going to educate your team and ensure that data protection and the core principles of GDPR remain a responsibility for all roles.


  • Yes, we have talked to our technology providers

 If you’re using technology like an ATS (Applicant Tracking System) or any other third party platforms such as video interviewing or psychometric testing, make sure you talk to your providers in good time to understand how they will support you.

If you’re not using an ATS or recruitment CRM, it may be time to consider investing in technology. If you are audited or need to action a customer request, manual processes and spreadsheets may not be suitable to help you meeting GDPR requirements.

If you’re going through this checklist and haven’t ticked them all off, don’t panic!

There is still time, and with a clear action plan in place and buy-in from your team, you should be in a good position to put measures in place ahead of the GDPR. The ICO is probably not going to slap fines on organisations the moment the clock strikes midnight on the 25th May – but you do need to demonstrate that you are implementing secure, sustainable and fair data processes and that you are making every effort to meet your responsibilities.

Find out more

Download your comprehensive In-house Recruiter’s Guide to the GDPR

Need some jargon-busting? Infographic: GDPR key terms

Do you know your candidate rights under GDPR?

Disclaimer: The information in this blog post concerning technical legal or professional subject matter is for guidance only, and does not constitute legal or professional advice. Always consult a suitably qualified lawyer on any specific legal problem or matter.

About the author

Tristan Potter

Tristan has a decade's worth of experience writing content and copy for organisations across Bristol and the Southwest of England. He has written on a diverse range of topics, including technology, philosophy, politics, and recruitment. His writing has appeared in The Drum, HR Grapevine, and The Guardian, among other publications. He joined Hireserve in March 2022.