What does GDPR mean for recruitment agencies?

Understanding GDPR for recruitment agencies is key to complying with the regulatory requirements and avoiding fines or prosecution.

As an agency, your business plays a vital role in the process of matching job seekers with employers. You and your employees are responsible for collecting, storing, and verifying a huge amount of sensitive information about both job seekers and employers.

Due to the exceptional amount of data handled by recruitment agencies, it’s no surprise that GDPR plays a large part in how agencies collect, store and process that data.

Keep reading to find out how GDPR affects recruitment agencies from as early as the job advertisement, before a candidate has even applied, right up to the months after a candidate has been placed in a role.

A brief reminder of GDPR

The General Data Protection Regulation (GDPR) is an EU data protection law that came into effect on May 25, 2018. The GDPR replaces the 1995 EU Data Protection Directive. It strengthens EU data protection rules by giving individuals more control over their personal data, and establishing new rights for individuals.

How does GDPR affect recruitment agencies?

Under the GDPR, recruitment agencies are data controllers. This means that they are responsible for ensuring that the personal data they collect from job applicants is collected lawfully and in compliance with the GDPR.

Recruitment agencies must provide job applicants with information about their rights under the GDPR, including the right to access their personal data and the right to have their personal data erased. Agencies must take steps to protect the personal data of job applicants from unauthorised access, disclosure, and destruction.

GDPR for recruitment agencies – 4 things to watch out for

1. Job advertisements

From the very initial stage of posting a job advertisement, there are certain requirements that a recruitment agency must adhere to under GDPR:

• A job advertisement must include a statement explaining that the data will be processed in accordance with GDPR. This statement must be provided to the candidate in a clear and easily accessible format.
• GDPR requires that all job advertisements clearly state the company’s name and contact details. As recruitment agencies often do not provide the name of the company in the earliest stages of a job application, the agency's name and contact details must be provided instead.
• GDPR clearly states that you can only collect data for “specified, explicit and legitimate purposes.” Recruitment agencies must only ask for relevant job-related information, with the intention of contacting the candidate within 30 days.

2. Retention periods

According to GOV.UK, records of candidate applications must be kept for a minimum of 1 year from the date the agency last provided services for them (this is known as a retention period). Recruitment agencies must also make them readily available to Employment Agency Standards (EAS) inspectors on request.

You do not need to keep the records of any speculative CVs you are sent.

For those CVs that you have taken action to find the candidate work, the following information must be retained:

• their name and address
• their date of birth (if under 22)
• any terms which apply, or will apply, between the agency or employer and the candidate
• any document recording changes to these terms
• details of the candidate’s training, experience and qualifications and any authorisation to do particular types of work
• details of any resulting engagements and when they start
• a copy of any contract between the candidate and an employer
• details of enquires about the candidate and the position concerned (including copies of all relevant documents and dates they were received or sent)

If the EAS finds missing documentation, they can prosecute the agency or refer them to an employment tribunal.

3. A candidate’s “right to be forgotten”

Under GDPR, a candidate has the “right to be forgotten”, meaning they can lawfully ask you to delete all records of their personal data.

In this case, any physical or digital document that holds their personal data must be destroyed within one month of the request.

If you wish to keep hold of a candidate’s personal data for potential future job applications, explicit consent must be taken first.

4. Secure destruction of data

Once a retention period has ended, or a candidate requests the destruction of their personal data, the responsibility falls on the recruitment agency to properly delete the data.

To dispose of candidate records securely, recruitment agencies can shred physical documents or enlist the help of an organisation like Shredall SDS Group to install a digital document management system. This type of records management software is designed with GDPR at its core, meaning digital documents will be securely disposed of whenever necessary.