GDPR: the unspoken opportunity or the Achilles' heel of recruiting efforts?

Europe´s new General Data Protection Regulation is a new set of privacy rules intended to give Europeans more control over how their data is:

  • collected
  • stored
  • processed
  • transferred 

GDPR comes into effect on May 25, 2018., and it applies to all companies (regardless of location) that process data of EU citizens. The Regulation sets out strict rules for lawfully processing personal data, including obtaining specific consent from individuals on how their data can be used. The GDPR has strong documentation and reporting rrequirements, and organization will be required to report and respond on data breaches within 72 hours. There are no comprehensive guidelines for what GDPR means for recruiters: there are hundreds of articles, but no official information on how to handle the process in practice.

We need to understand how GDPR affects us, along with navigating key risks, change management and benefits.

Under GDPR (Art. 4.2) the term processing means anything that is done to, or with personal data.


Key risks for non-compliance

Along with new set of obligations, GDPR will bring in a consistent set of fines. Penalties will reach a consistent upper limit of EUR 2 Million, or 4 % of annual global turnover, whichever is higher. The threat of insolvency, or even closure as a result of GDPR penalties will soon be very real.

When it comes to sourcing candidates, two main questions occur:

1. How do we obtain consent?

2. How do we store data in a compliant manner?

From a sourcing standpoint, the first critical consideration is how legitimate interest fits GDPR. If we are storing any data we find on publicly accessible websites, this is considered processing – which means we need to have a lawful basis.

Statutory obligation regarding any form of documentation is:

  • Ensuring data minimization
  • Right to erasure (1 month + explained delay)
  • Monitoring consent 

As for inbound candidates, or rather applicants, the following checklist should be adhered to for a compliant inbound process:

  • Explicit consent
  • Data minimization
  • Consent for tracking (Proposal for E-privacy regulation; 2017)
  • Ensuring all candidates can access their data
  • Automated decision making process (information about the logic)
  • Recruitment automation


Unser the General Data Protection Regulation, consent is a “freely given, specific, informed and unambiguous indication of the data subject´s wishes to by which he/she by a statement or by a clear affirmative action, signifies agreement to the processing of his/hers personal data”. 

Consent must be:

a) Unbundled

b) Active opt-in

c) Granular

d) Named

e) Easy to withdraw

If you have sourced candidates yourself, you must obtain consent from the subject, prior to processing their data for recruitment purposes, and advise them where you sourced their data. Also, consent needs to be monitored, and the candidates can f.e. not be messaged for the same hiring purpose by someone else on the team.

Explicit consent

If a candidate applies for a specific vacancy, we must always seek additional consent for any processing that is related and limited to the vacancy the candidate applied for. F.e. if we plan to communicate, or to store unsuccessful applicants after a vacancy has been closed, we need to obtain specific consent for this processing. The mere fact that they applied for the initial vacancy, does not cover any further contact.

Sourcing and storing data: what else do we need to know? 

...It is our obligation to keep data relevant

As long as candidates do not ask to opt out or remove their data, we can continue to process it. But, we need to assure that their data continues to be relevant: keep data up to date and remove old information.

Examples of suggested ways to keep data up to date and compliant:

a) Candidate self-service portal

b) Database rules 

c) Automatic data refreshes

...It is our obligation to continue monitoring consent

… and assure candidates can opt out at any given time.

To comply with GDPR, every time we contact a candidate, we must give them the option to unsubscribe or opt out from ALL future communication (!), as well as for them to be able to track and enforce that opt out. 

By advising candidates of:

  • The categories of data sourced
  • Where it was sourced
  • Recipients of the data
  • The applicable retention periods
  • Right to withdraw the information

we will remain GDPR compliant.

Furthermore, we should only source data from sites where candidates have consented to share their information and provide the candidates with access to update or remove this data. With GDPR, we will have to be able to track candidate relationships from the very first interaction, usually prior to a job application. To demonstrate GDPR compliance, we will have to be able to show when a candidate gave consent to have their data processed and receive future communication.

Data subject perspective

Which statutory rights do the candidates have?

Data subjects have the following rights under the conditions and to the extent set forth under the  GDPR law:

  • Right to get transparent information about processing of Personal Information;
  • Right to get access to Personal Information;
  • Right to rectify inaccurate Personal Information concerning them and to get information about any rectification;
  • Right to erase Personal Information concerning them and to get information about any erasure;
  • Right to restrict processing of Personal Information concerning them and to get information about any restriction;
  • Right to receive Personal Information they provided to us and which concerns them and transmit this received Personal information to another provider;
  • Right to object any data processing that is based on our legitimate interest;
  • Right not to be subject of a decision solely based on automated processing including profiling;


Key takeaways

Generally, recruitment companies need to include all the above information about data processing and data storage in their processes. GDPR allows you to process data where you have legitimate interest, but you cannot contact candidates about opportunities until they confirmed they are willing to receive messages. Recruiters need to break a lifetime habit and abide by an entirely new workflow.

To ensure compliance in the team, you need to segment your CRM between candidates that are happy for us to contact them, and those candidates that are jet to opt in.

The most effective solution lies in highly automated processes. Opt-in requests should be triggered automatically whenever candidates are added to your database. SGS possesses its internal CRM, SGS ONE, which is currently being upgraded in collaboration with the company Decodio ( in order to provide simple and automated answers to the following inquiries:

...Should we segment our database based on candidate interests or the nature of their consent?

...What to do with Grandfathered data in our CRM?

...Is there a limit for how long we can keep the subject data in SGS ONE?

...How to avoid team members contacting subjects that have not jet opted In?

...What is the best way to store candidate data in SGS ONE?


What should be your next steps?

  1. Define the reponsible person/team for GDPR implementation in your company
  2. Review all current policy documents regarding data collection and storage
  3. Review your internal procedures for obtaining data subject consent
  4. Source the correct legal documentation for all the data you posess
  5. Set up an accountability framework within the business
  6. Create a process to respond to any potential security breaches
  7. Design an efficient process for handling any request from data subjects
  8. Put data privacy at the heart of your business
  9. Update automated systems