5 Min

GDPR for recruitment agencies: How does GDPR affect recruitment?

From the moment candidates submit their CVs, until the time they are hired, recruitment agencies will be dealing with and processing the most important type of data: personal data.

UK GDPR compliance is an important part of both candidate recruiting and secure data management. You can comply with UK GDPR and make significant improvements to your business if you are prepared and well-informed. All organisations in the UK, as well as any organisations processing the data of European Union (EU) residents, regardless of where they are in the world, are required to comply with GDPR.

In this article, you will be able to learn more about UK GDPR, how it impacts the recruitment industry, what key areas recruiters should focus on in UK GDPR, and the risk of non-compliance.

In this Article

Basic UK GDPR Terminology for Recruiters 

Before we go any further into understanding how recruitment agencies can start complying with UK GDPR, let us take a look at the basic terminology frequently used when speaking about UK GDPR.

  • Personal data
    • Information about a living individual that has been identified or may be identified. Names, dates of birth, email addresses, phone numbers, addresses, physical traits, and location data are all examples of personal data.
  • Special category data
    • Personal information on a person's racial or ethnic origin, political ideas, religious or philosophical beliefs, trade union membership, and health and sexual orientation.
  • Consent
    • Individuals have choice and continuous control over how their data is used, and your organisation should be open and accountable for your processes.
  • Candidates or “data subjects.”
    • Since candidates may be recognized by the personal data they provide to the recruitment agency, they are considered as data subjects. Under the UK GDPR, members of recruiting agencies are also considered as data subjects, although their information will not be processed to the same degree as candidate data.
  • Recruiters or “data controllers.”
    • The objective of gathering candidate personal data is determined by recruitment agencies who act as their company's key representatives to applicants. As a result, they are the data controllers, and they are solely responsible for safeguarding candidate data and properly processing it. 
  • Recruitment software systems
    • Recruitment software systems are also considered as data processors that process applicant data on your behalf and according to your recruitment agencies specifications.

Why is complying to the UK GDPR important for recruitment agencies?

The UK GDPR was established in order to make it easier and safer for individuals to buy products and use services that required their personal data. Knowing that the UK GDPR was in place and that organisations are strictly required to comply with it gives individuals a sense of security when they are required to provide their personal information to them.

Typically, recruitment agencies will be storing and processing candidate personal data, such as:

  • Individuals' contact details
  • Salary expectations/salaries
  • Health information
  • Residential information

In order to start off with compliance, your recruitment agency must be transparent about how you collect, process and store data. You must also have an easy-to-understand privacy notice for the people you employ and job candidates to make them aware of their privacy rights.

Speaking of privacy rights, once UK GDPR is implemented, individuals will need to be made aware of their rights when it comes to data privacy. The next section of this blog will help you understand what privacy rights are and just how important they are.


What are the eight privacy rights of individuals in UK GDPR?

There are eight fundamental rights that affect how recruiters can collect, store and use data and give you and your data subjects an understanding of how you can use them to your benefit. They are:

  • The Right to Information

    • It states that a data subject has the right to inquire about the type of data that a data controller processes and why the data controller needs it.
  • The Right to Access

    • The right to access allows the data subject to see the personal data that you process about them.
  • The Right to Rectification

    • When individuals feel the data they send you is inaccurate or out-of-date, they have the right to update or amend it.
  • The Right to Erasure

    • The right to request that their data be erased without delay from your company's data records.
  • The Right to Restriction of Processing

    • Under some circumstances, individuals have the right to request that their data be processed in a specific way. That implies you must stop processing their data as requested for the time being.
  • The Right to Data Portability

    • Under some circumstances, the right for the individual to receive personal data kept by your agency in a commonly used format, transfer it to another controller, or use it for personal reasons.
  • The Right to Object

    • When there are relevant circumstances, individuals have the right to object to their data being processed, including profiling.
  • The Right to avoid automated decision-making

    • The right to not be subjected to legal consequences as a result of a decision based purely on automated processing, including profiling.

Recruiters need to understand and remember these rights, and understand what changes need to be implemented in databases for individuals to exercise these rights. Just like the above rights, there are many other ways that UK GDPR affects recruitment agencies.

How the UK GDPR affects recruiting and its key rules for recruiters?

Apart from recruiters having to comply with UK GDPR on a daily basis and also making candidates aware about their individual privacy rights, here are a few rules that may affect your recruitment processes and what you should keep in mind about them:

  • Identifying the purposes for which you need to process personal data

    • Sending a CV to a specific company, placing it on a publicly accessible database, keeping it, and promoting your premium employee consulting services with the contact information.
  • Understanding existing consensual personal data

    • Individual consent should be obtained for each and every individual's personal data processing activities.
  • Withdrawal of an individual's consent

    • Consider the candidate who still wants to get job notifications from you but does not want their information to be visible in your database. Individuals should be able to easily withdraw authorization for data processing tied to specific processing goals.
  • Processing an individual's data is in the best interests of the candidate

    • UK GDPR requires that you only acquire data for "specific, clear, and lawful reasons", which means you can gather applicant data as long as you strictly collect job-related data.
  • Candidate agreeing to the processing of special category information

    • When processing data like health information, cultural, genetic, or biometric information, or information needed for a background check, UK GDPR requires you to get consent.
  • Transparency in candidate data processing

    • Companies must have transparent privacy policies, which must be made available to individuals by recruiters. You must also declare where you store applicant data and that you will only use it for recruiting reasons.
  • Assume responsibility for ensuring that the rules are followed

    • Your agency must be able to show that it complies with UK GDPR because it is liable for the people with whom it does business.

Steps recruitment agencies should take to prepare for UK GDPR

Here are a few more steps that will help recruitment agencies become UK GDPR-compliant.

  • Perform a data audit

    • The first step is to review all of the information you have about your clients and applicants. What kind of data do you gather, where do you keep it, and why?
    • Regular data audits will also be required to ensure accuracy, including an examination of how long you store data and how quickly you can respond to user requests to add or remove them from certain databases.
  • Manage the data you have well

    • Having a central CRM or database clarifies and eliminates any misunderstanding regarding whom, when, and where consent to store an individual's data was obtained.
  • Use the right mediums

    • Make sure you have procedures in place to ensure that you are only contacting those who have given you permission to do so, and that you are doing so through the channel they choose.
  • Understand that unsubscribing means, do not contact that individual

    • Individuals will be able to unsubscribe at any time, which implies that you should not approach them in any way.
  • Communicate with your colleagues

    • Everyone in your organisation, from the higher management to junior management, has to be aware of the upcoming changes. If by any chance a candidate requests to erase their information, and this is not communicated properly to the relevant person in the organisation, data may be mishandled.
  • Give your stored data retention periods

    • Consider setting up retention periods in your database, whereby an individual's details are labelled as inactive or unresponsive after a specific amount of time with no action.

There are two parties involved in recruitment and complying with the above rules of recruitment. Namely data controllers and data processors. Let us take a look at how we can differentiate the two and understand each of their obligations separately in the section below.

Data Controllers and Processors in recruitment agencies and how they differ

Understanding the major differences between a data processor and a data controller is crucial to know if you are just getting started with GDPR. This will assist you in quickly understanding the responsibilities that both of these parties play in your recruitment agency.

Whether you use a traditional job posting on social media or a recruiting platform/software, the legal basis for processing and the information you disclose to your data subjects will differ.

Data Controllers

When it comes to preserving the privacy and rights of the data subject, such as a website user, the data controller has the most responsibility under UK GDPR.

In other words, the data controller will be in charge of determining how and why data will be handled by the organisation.

Recruitment includes the processing of personal data, and this will occur only when the recruiter finishes gathering data on potential candidates. This can include gathering data such as contact information, grades, certifications, CVs, general data, tests and other documents.

A data controller can use its own methods to process gathered data. However, in other cases, a data controller will need to connect with a third-party or an external service in order to work with the data collected.

Data Processors

A data processor merely processes the information provided by the data controller.

The data processor is a third-party entity chosen by the data controller to utilise and process the data.

The data that is processed by a third-party data processor does not belong to them, and they have no control over it. This indicates that the data processor will not be able to modify the data's purpose or means of use. Furthermore, data processors are constrained by the data controller's orders.

Some recruiters have a specific, specialised role in addition to recruiting such as conducting or arranging assignments for candidates and organising interviews, etc. Because they perform specified responsibilities on behalf of the "data controller," these agencies are referred to as "data processors" under UK GDPR.

What are the risks of non-compliance with UK GDPR for recruitment agencies?

Complying with the UK GDPR ensures that your recruitment agency abides by protecting data of these individuals especially since recruitment relies heavily on candidates personal data.

If compliance is not taken seriously, your recruitment agency can be fined up to 4% of your annual global revenue or £20 million, whichever is higher.

Your recruitment agency can also face risks of being caught in a data breach whereas in addition to the hefty fine you will have to pay, you may also be charged to compensate the individuals whose personal data has been leaked as a result of the data breach.


Finally, the UK GDPR should benefit your recruitment agency by making it more open and transparent, where in turn your clients will trust you in handling their data as well as candidate data with ease.

We help recruitment agencies better understand data privacy and become GDPR compliant. Get in touch with one of our UK GDPR experts today:

Book your meeting

If you are interested in learning more about the UK GDPR in general for small businesses, you can read our article about UK GDPR for small businesses.


Image CTA Expert Female Image CTA Expert Female MOBILE

How can your Recruitment Agency best prepare for GDPR?

  • Ongoing GDPR support from certified industry experts
  • Tailored services around your specific requirements
  • Individual consultation at every stage of the compliance process

Learn how we can help you overcome GDPR Compliance challenges.


Book a demo

About the author

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies

100% success in ISO 27001 audits to date



TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk