GDPR and in-house recruitment

The new EU General Data Protection Regulation (GDPR)
is looming and it will have an impact on the way
in-house recruitment teams collect, track and process
their candidate data.

We’ve collected a range of resources to help you prepare,
from useful articles and guidance, to advice to make
sure each element of your hiring process is compliant.

Latest resources

What should you do first?

Our first steps for your GDPR compliance action plan.

Read the post

Do you know your key terms?

A quick run down of GDPR jargon in an infographic.

GDPR definitions

How can you manage talent pools?

Under the GDPR you’ll need to review your talent communities.

Find out more

What is the GDPR?

The EU General Data Protection Regulation (GDPR) is a set of laws intended to improve data protection for individuals in the EU.

In a nutshell, it means tightening processes around collecting, storing and managing personal data.

For in-house recruitment teams, a key area of focus will be around transparency. When candidates apply for a role with you, you will need to be upfront and clear about why you collected their data, how you will process it, and for how long you will store it for.

There’s a lot to take in and it’s important that employers and in-house recruitment teams are prepared well in advance of May 2018, as the penalties associated with breaking the new regulations are severe.

We’re here with some guidance and ideas to help you get started on your journey to GDPR compliance.

Image of a computer screen and icons that relate to GDPR and in-house recruitment

New post: Your ATS provider

‘As an in-house recruiter, it’s likely you work with a variety of third parties, including your Applicant Tracking System provider…but what role will they play in the GDPR?’

In this new blog, learn what obligations your ATS provider has under the new regulation, what questions you should be asking them now and where you can find further information about the GDPR…

Read the post now

Practical steps to prepare for the GDPR

There are two key steps you and your colleagues should undertake as soon as possible, to get ready for GDPR compliance.

Undertake a data mapping exercise

A data mapping exercise is the process of identifying, processing and mapping out the data flows of your organisation.

This is a complex process, particularly for organisations with multiple systems and technology platforms in place.

Think about the journey your candidates’ data will take, from the moment it enters your organisation. You should also document what information you collect about candidates at each stage of your recruitment process, and document how your organisation(s) use that data.

As part of being GDPR compliance, you will need to define your organisation’s legal bases for processing candidates’ information. You should define and document these legal bases during your data mapping exercise.

Review your privacy notice

As transparency is a key theme of the GDPR, your privacy notice(s) will take on greater significance.

Your privacy notice should be easily accessible to candidates on your careers site  and you should use it to very clearly state what personal data you will collect and how you will process it. You also need to include:

  • Your organisation’s identity and contact details
  • The purposes and legal basis for processing
  • Details on other recipients and cross-border transfers
  • How long you will store data for
  • Your data subjects’ rights
  • The existence of any automated decision-making

New infographic

Do you know the core principles of the GDPR?

Data Protection announcement

What does the new Data Protection Bill mean for GDPR?

The Government recently released a statement of intent announcing a new Data Protection Bill in the UK.

Upon hearing the announcement from Matt Hancock, Minister of State for Digital, many organisations may have questioned how the General Data Protection Regulation (GDPR) fit in with this new UK bill.

In this short post, we’ve explored the statement of intent in a little more detail, including the impact of BREXIT and role of GDPR and the Data Protection Act.

Read it now: Data Protection vs. GDPR

The In-house Recruiter’s Guide to GDPR


Download your companion to GDPR compliance .

How will the GDPR impact your recruitment activity?

Your application forms

Each time you collect a candidate’s information, you need to ensure they can easily access your privacy notice.

You could include a link next by your application form, or perhaps make use of mechanisms like ‘Just in time’ notices.

Remember, if you are collecting ‘special category data’, you must gain explicit consent from the candidate to process and store it.

Your talent pools

In your privacy notice, ensure you clearly explain how you long you will store and how you will process candidate data in talent pools.

You will need to make sure your organisation has clear data retention policies, and that your colleagues are aware of them.


Your candidates’ data rights

When GDPR comes into effect, data subjects (e.g. your candidates) have wider rights.

For in-house recruitment teams, you’ll need to ensure you have processes in place to recognise and action candidate requests or complaints about their data.

You also need to review your security and data breach processes, from the way you report them to how you notify candidates.

GDPR key terminology

In the context of in-house recruitment, what does some of that GDPR legal jargon mean?

  • Data processing: In the in-house recruitment industry, this could range from screening candidate CVs to building talent pools in your ATS. Essentially, processing means every way that you use data.
  • Data controller: In this context, you!
  • Data processor: Any person/organisation acting on your behalf. So in the recruitment industry, this could be your ATS provider, for example, or psychometric testing partner.
  • Data subject: Your candidates, in this context.

Image of candidate CVs, a magnifying glass and a pen to signify the impact of GDPR on in-house recruitment


Working with agencies

As a responsible employer, you should make sure the recruitment agencies you work with are GDPR compliant.

It may be sensible to start conversations with agencies on your PSL now, in order to understand how they will adapt their processes in order to adhere to the new regulations.

This approach should also be taken with third parties such as HR & Recruitment technology and service providers.


How you can prepare

Click the infographic to learn more!

oc_gdpr_infographic_720px_final - half cropped

Your candidate communications

If you send emails to candidates, you’ll need to include a clear ‘opt-out’ option at the bottom of each email (you should do this already under the Privacy and Electronic Communications Regulations).


You should consider linking to your privacy notice in every candidate communication too.

You will also need to implement a way for candidates to contact you with requests or complaints about their personal data.

Useful links for further reading

Data protection guidelines

Trusted advice from the Information Commissioner’s Office (ICO)

REC resources 

Information from REC experts to help you navigate GDPR.

Are you ready for the GDPR?

In depth: How to prepare for GDPR
from legal firm Osborne Clarke.

The In-house Recruiter’s Guide

Register for our guide to GDPR & in-house recruitment, available soon.

Disclaimer: Please note that all information on this page is intended to be for informational purposes only, and should not be taken as legal or professional advice.  We would always recommend that you consult a qualified legal professional ahead of the GDPR.

Live chat

Can we help you?

Our team is ready to answer your questions.