How can your recruitment agency prepare for GDPR?

The looming General Data Protection Regulation (GDPR) which applies from the 25th May 2018 has caused a fair amount of fuss among recruitment agencies, amid much fretting about what it all means in practice and how heavy the penalties could be for non-compliance.

Is GDPR a burden that your company could do without?

The good news is that the comprehensive series of data privacy legislation that comes under the banner of GDPR, and which will apply to all businesses and individuals residing in the European Union (EU), doesn’t impose too many new demands on your firm.

Indeed, you can even make the new regulations work to your agency’s advantage. Recruitment agencies that take the opportunity to beef up their data security policies can better protect themselves against the financial and reputational damage that can result from non-compliance or breaches. In the process, such agencies will also be able to inspire more trust from their customers.

One thing that your recruitment agency certainly can’t do about GDPR, however, is ignore it. Your agency is a data business like any other, so what can you do now to prepare for the changes?

What GDPR means for you and your candidates

GDPR has been conceived with the aim of protecting the rights of the EU’s 750 million citizens with regard to how their personal information is used.

One effect it will have for your recruitment agency will be that from May 2018, you will need to secure explicit consent from your candidates, or at least demonstrate a legitimate interest, to collect and use their personal data. Candidates will be able to object to their data being processed for profiling purposes, as well as request the deletion of their data when it is no longer required.

The steps that you need to take now

It’s vital at this point to educate yourself and everyone in your agency on what needs to be done in preparation for GDPR.

You may be required to appoint a ‘Data Protection Officer’, who will  formulate an overall plan of action to ensure compliance with the regulations. If your Agency carries out large-scale systematic monitoring of individuals or carries out large-scale processing of special categories of data or data relating to criminal convictions and offences then you need to find yourself a Data Protection Officer soon.

This will need to be followed by the process of mapping out your exposure, whereby you consider every way a candidate provides your agency with their personal information. How is such information presently being collated and stored by your agency, and where are the places where your agency is responsible for holding candidate data, or where candidate consent will be required?

If you are to keep on top of your agency’s GDPR requirements, there will almost certainly be a need to centralise and simplify your data management.

Once your current data processes have been audited and some areas for potential improvement identified, you will be able to start assembling some basic candidate terms of use or engagement. This should cover such aspects as how your agency stores candidate information, for how long this information is kept and what rights your candidates have to access their data.

It will also be necessary to review your agency’s current data policies and privacy information. This shouldn’t be too difficult if you are already compliant with the Data Protection Act (DPA), to which GDPR is effectively an update. Nonetheless, it’s something worth doing with the new GDPR requirements in mind.

Don’t feel too overwhelmed by all things GDPR! 

With the above being a mere ‘crash course’ in what GDPR means for your recruitment agency, it is important not to underestimate the challenges involved in ensuring compliance.

There are certainly many things that your agency can do right now to prepare, ranging from making all of your new candidates aware of your agency’s intentions and purpose for the storage of their data, right through to keeping auditable proof of your candidates’ agreement to their details being shared with a third party. The latter, for instance, is a process that you might automate to save future time and hassle.

Remember that when your agency is busy ensuring that it meets its obligations under GDPR, our team here at TBOS can assist with our outsourced back office services. To learn more about them, don’t hesitate to contact us now, on 0845 8811 112 or by emailing




Posts By Topics

see all

Subscribe to our blog