For any business hiring in the UK today, understanding GDPR (General Data Protection Regulation) is not just a legal requirement—it’s a fundamental part of building trust with candidates and protecting your company’s reputation. Even after Brexit, the principles of GDPR were adopted into UK law as the UK GDPR, meaning the rules around handling personal data remain strict and apply to all employers, large and small.
Failing to comply can lead to hefty fines, but perhaps more importantly, it can damage your employer brand and deter top talent. In a competitive market, candidates want to know that their personal information is being handled with care.
This guide will walk you through the key aspects of GDPR as it relates to the recruitment process, from writing a job ad to managing the data of both successful and unsuccessful candidates. Think of this not as a legal burden, but as a framework for professionalism and ethical hiring.
GDPR is a comprehensive data privacy law that gives individuals more control over their personal data. For recruiters and hiring managers, this means you are a ‘data controller’, and candidates are ‘data subjects’. This relationship comes with significant responsibilities.
The law is built on a set of core principles that should guide every step of your recruitment process:
Lawfulness, fairness, and transparency: You must have a valid reason for collecting data, and you must be open and honest with candidates about it.
Purpose limitation: You can only use the data for the specific purpose for which it was collected (i.e., assessing their suitability for a job).
Data minimisation: You should only collect the data that is absolutely necessary for the task.
Accuracy: All data you hold must be accurate and, where necessary, kept up to date.
Storage limitation: You should not keep personal data for longer than is necessary.
Integrity and confidentiality (security): You must protect personal data from unauthorised access, loss, or damage.
Accountability: As the data controller, you are responsible for demonstrating compliance with these principles.
These principles apply from the moment you publish your job ad to the moment you securely delete a candidate's CV.
Let’s break down the recruitment process to see how GDPR applies at each stage.
Your job ad is the first point of contact and the first opportunity to show compliance. The key here is data minimisation.
Do not ask for unnecessary personal data. Avoid asking for information that isn’t directly relevant to a candidate’s ability to do the job. This includes age, marital status, religion, or nationality.
Be inclusive. Your job ad should focus on skills, qualifications, and experience. Any requests for personal information must have a clear justification. For example, asking for a driver's licence is acceptable if driving is an essential part of the job.
Include a privacy statement. This is a best practice. A simple line at the bottom of your ad or on the application page can tell candidates you will handle their data in line with your privacy policy. This demonstrates transparency from the get-go.
This is where the bulk of the personal data is collected. You must be transparent and secure.
Use a secure collection method. If you’re receiving CVs via email, ensure your email system is secure. Even better, use a dedicated application portal like MyJobsi.co.uk, as these platforms are designed with data protection in mind.
Provide a clear privacy notice. This is non-negotiable. On your application form or in a linked document, you must clearly explain:
Who you are (the data controller).
What data you are collecting.
Why you are collecting it (the purpose, e.g., to assess their suitability for the role).
How long you will keep their data.
Who you might share it with (e.g., the hiring manager, your HR team).
Their rights as a data subject.
Avoid over-collection. Don't ask for a candidate’s National Insurance number, bank details, or passport information at this stage. That data is only necessary for a successful candidate during the onboarding process.
Once you have a pool of candidates, you're processing their data to make a hiring decision.
Limit access to data. Only the hiring manager and relevant HR staff should have access to candidate data. Ensure that CVs and interview notes are stored in a secure location, whether that's a password-protected folder on your network or a secure online platform.
Obtain consent for background checks. If you need to perform background checks, you must inform the candidate and get their explicit consent before proceeding. The request for consent should be specific, informed, and unambiguous.
This is a critical stage for GDPR compliance and a common area for mistakes.
Retention periods. You cannot keep a candidate's data forever. The rule is to keep it for "no longer than is necessary." A reasonable retention period is generally considered to be six to twelve months after the recruitment process is concluded. This allows you to address any potential legal challenges or to consider the candidate for a similar role in the near future.
Secure deletion. Once the retention period is over, you must securely delete all candidate data. This means more than just moving it to the 'Recycle Bin'. Ensure the data is permanently erased from your systems.
Let’s look at some of the most important GDPR concepts with actionable examples.
Your privacy notice is your best friend for GDPR compliance. It’s the cornerstone of transparency.
What to include: As a minimum, your notice should cover all the points mentioned in Stage 2. A good practice is to create a specific "Recruitment Privacy Notice" on your website.
Lawful basis: When you process a candidate’s data, you must have a "lawful basis" for doing so. For recruitment, the most common lawful basis is ‘legitimate interest’. As the employer, you have a legitimate interest in processing the candidate’s data to assess their suitability for the role. This is the foundation of your right to use their information.
This principle is about only collecting data that is directly relevant to the job.
Example: If you're hiring a graphic designer, you need a portfolio. If you're hiring a lorry driver, you need a driving license. You don't need a photograph of either candidate's face.
Pro-Tip: Review your application forms. Is every single field absolutely essential to your hiring decision? If not, remove it.
Protecting candidate data is your responsibility.
Digital data: Use strong passwords for any folders or files containing CVs. Use encrypted cloud storage services.
Physical data: If you print CVs, keep them in a locked drawer and shred them securely once you're done with them. Never leave them on a desk where they could be seen by others.
GDPR gives candidates specific rights over their data. You must be prepared to handle these requests.
The right to be informed: This is covered by your privacy notice.
The right of access: A candidate can request a copy of all the personal data you hold on them (e.g., their CV, application form, your interview notes). You must respond to this request within one month.
The right to rectification: If a candidate’s data is inaccurate, they have the right to have it corrected.
The right to erasure ('right to be forgotten'): A candidate can request that their data be deleted, and you must comply unless you have a compelling legal reason to keep it.
GDPR is more than just a set of rules; it's a new standard for professionalism in the recruitment industry. By taking a proactive, transparent, and secure approach to handling candidate data, you not only protect your business from legal risks but also build a reputation as a responsible and trustworthy employer.
This commitment to data protection will set you apart in a competitive market and ensure that top talent feels confident in entrusting their personal information to you. It's an investment in your company’s future and a sign of respect for every person who applies for a job with you.
For more information and to start posting your job ads, visit MyJobsi.co.uk today.
