Your GDPR checklist for Recruitment Compliance

Following on from our previous two articles on the GDPR which you can read here, we have developed a clear GDPR checklist for recruitment compliance which will help you ensure you operate within the new regulations and keep you on the right side of the law.

To be ready for the May deadline, it’s imperative that you start to take action as soon as possible. Start now by following our GDPR checklist for recruitment compliance and make sure that you’re well prepared for a GDPR audit should the situation arise.

1. Inform Staff
It is highly likely that most of your staff won’t have heard of GDPR or they may have heard of it, but might not be too sure what it involves. It is important to inform staff of GDPR and make sure they are following the processes.

As far as recruitment is concerned, most of your staff are probably involved in it in some way or another, so they need to know what is expected of them and how they will be involved in the GDPR project.

2. Select a GDPR Officer
The first thing to consider is to either assign someone who is experienced in data protection from your current employees as a GDPR Compliance Officer, or employ a third party to manage this as they will have specialist knowledge and expertise in this area.

3. Data Mapping
It is a good idea to undertake a full data mapping exercise for GDPR, as this will help you to understand where data is flowing in your organisation. You may wish to document where the data comes from and what your overall process is for storing/archiving the personal data.

Consider these key elements as part of your data mapping exercise:
• How do individuals apply for jobs?
• Do they apply via your online system? Do you receive CVs from recruitment agencies? Speculative CVs?
• Where are the applications/CVs stored? (They may be stored on your online system, saved onto shared drives, desktops, stored by managers)
• What personal details do you obtain? (Name, address, email address etc. – make sure you document exactly what personal data you are storing for individuals).
• What is your process for unsuccessful applications?
• Are you ensuring you discard applications after the relevant time has elapsed? Are there applications stored incorrectly that have passed the legal time frame for storage?

Document each stage of the recruitment process so that you are clear about the personal data you have and the full journey of the recruitment cycle. This process will be time consuming, but it will help you to gain a clear understanding of what you need to do next.

4. Consent
An important aspect of GDPR is consent. If you are storing personal data for longer than the legal requirement, you must gain consent from the individual. For example, if you decide to hold onto a CV for future vacancies, you must explicitly request consent to do this from the individual.

Consent must be freely given, specific, informed and unambiguous. You must always make clear what the consent is for. If you are unable to obtain consent, you should not communicate any further with the individual and you should delete any personal data already obtained.
It is important to have a clear process for gaining permission to hold onto data. You will need to have documented evidence.

If you are sharing personal data, you must always get written permission. For instance, you may decide that an individual would be more suitable for another role after reading their CV, but you shouldn’t send the individual’s information to that company/department until you have made sure that they are happy for you to do so.

If you are relying on consent for the purposes of marketing, you will need to remind the individual of their right to withdraw their consent every six months.

5. Accuracy of data
If you are storing personal data and you have permission to do so, it is important to check the accuracy of your data. If you have applications you are keeping for future vacancies for example, now is the time to check you have up-to-date details.

6. Archive data
This is probably the most time-consuming task associated with GDPR, but one of the most important.

As part of your data mapping exercise, you will be aware of where you are storing personal data, so now is the time to archive any personal data you no longer need and/or do not have permission to store. This includes personal data stored on all of your systems, folders, shared drives and hard copies. Archive any data you no longer need.

7. Update privacy policies
Your privacy policies will need to be updated to reflect GDPR. This will include how you are storing and using personal data.

Now is the time to get started on ensuring you are prepared for the new GDPR legislation. If you’d like more help and advice on navigating the GDPR with regards to recruitment, contact the team at Appointments on 01782 338787 or email

Disclaimer: The information contained within this article are given in goodwill and Appointments Personnel Limited uses all reasonable efforts to ensure that it is accurate. Appointments Personnel Limited shall not be liable under any circumstances for any loss, expense, damage, delay, costs or compensation (whether direct, indirect or consequential) which may be suffered or incurred by you.