Share Article

March 13, 2018

Your GDPR checklist for Recruitment Compliance

Following on from our previous two articles on the GDPR which you can read here, we have developed a clear GDPR checklist for recruitment compliance which will help you ensure you operate within the new regulations and keep you on the right side of the law.

To be ready for the May deadline, it’s imperative that you start to take action as soon as possible. Start now by following our GDPR checklist for recruitment compliance and make sure that you’re well prepared for a GDPR audit should the situation arise.


1. Inform Staff

It is highly likely that most of your staff won’t have heard of GDPR or they may have heard of it, but might not be too sure what it involves. It is important to inform staff of GDPR and make sure they are following the processes.


As far as recruitment is concerned, most of your staff are probably involved in it in some way or another, so they need to know what is expected of them and how they will be involved in the GDPR project.


2. Select a GDPR Officer

The first thing to consider is to either assign someone who is experienced in data protection from your current employees as a GDPR Compliance Officer, or employ a third party to manage this as they will have specialist knowledge and expertise in this area.


3. Data Mapping

It is a good idea to undertake a full data mapping exercise for GDPR, as this will help you to understand where data is flowing in your organisation. You may wish to document where the data comes from and what your overall process is for storing/archiving the personal data.


Consider these key elements as part of your data mapping exercise:

  • How do individuals apply for jobs?
  • Do they apply via your online system? Do you receive CVs from recruitment agencies? Speculative CVs?
  • Where are the applications/CVs stored? (They may be stored on your online system, saved onto shared drives, desktops, stored by managers)
  • What personal details do you obtain? (Name, address, email address etc. – make sure you document exactly what personal data you are storing for individuals).
  • What is your process for unsuccessful applications?
  • Are you ensuring you discard applications after the relevant time has elapsed? Are there applications stored incorrectly that have passed the legal time frame for storage?


Document each stage of the recruitment process so that you are clear about the personal data you have and the full journey of the recruitment cycle. This process will be time consuming, but it will help you to gain a clear understanding of what you need to do next.


4. Consent

An important aspect of GDPR is consent. If you are storing personal data for longer than the legal requirement, you must gain consent from the individual. For example, if you decide to hold onto a CV for future vacancies, you must explicitly request consent to do this from the individual.


Consent must be freely given, specific, informed and unambiguous. You must always make clear what the consent is for. If you are unable to obtain consent, you should not communicate any further with the individual and you should delete any personal data already obtained.

It is important to have a clear process for gaining permission to hold onto data. You will need to have documented evidence.


If you are sharing personal data, you must always get written permission. For instance, you may decide that an individual would be more suitable for another role after reading their CV, but you shouldn’t send the individual’s information to that company/department until you have made sure that they are happy for you to do so.


If you are relying on consent for the purposes of marketing, you will need to remind the individual of their right to withdraw their consent every six months.


5. Accuracy of data

If you are storing personal data and you have permission to do so, it is important to check the accuracy of your data. If you have applications you are keeping for future vacancies for example, now is the time to check you have up-to-date details.


6. Archive data

This is probably the most time-consuming task associated with GDPR, but one of the most important.


As part of your data mapping exercise, you will be aware of where you are storing personal data, so now is the time to archive any personal data you no longer need and/or do not have permission to store. This includes personal data stored on all of your systems, folders, shared drives and hard copies. Archive any data you no longer need.


7. Update privacy policies

Your privacy policies will need to be updated to reflect GDPR. This will include how you are storing and using personal data.


Now is the time to get started on ensuring you are prepared for the new GDPR legislation. If you’d like more help and advice on navigating the GDPR with regards to recruitment, contact the team at Appointments on 01782 338787 or email office@appointmentspersonnel.co.uk.


Disclaimer: The information contained within this article are given in goodwill and Appointments Personnel Limited uses all reasonable efforts to ensure that it is accurate. Appointments Personnel Limited shall not be liable under any circumstances for any loss, expense, damage, delay, costs or compensation (whether direct, indirect or consequential) which may be suffered or incurred by you.

By Kerry Bonfiglio-Bains June 13, 2026
A probation process only protects you if you run it properly. Use this SME checklist to self-audit yours before the 2027 unfair dismissal changes land.
By Kerry Bonfiglio-Bains June 12, 2026
Unfair dismissal rules change on 1 January 2027. Find out why the staff you hire before July 2026 are already affected, and how to get ready now.
By Kerry Bonfiglio-Bains June 8, 2026
From January 2027, a bad hire carries far more legal risk. A structured 15-minute pre-screen call is one of the simplest ways to protect your SME.
By Kerry Bonfiglio-Bains April 22, 2026
A practical guide covering interview preparation, structured questioning, and the mistakes most SMEs don't realise they're making during interviews.
By Kerry Bonfiglio-Bains April 22, 2026
A 2026 UK guide to legal and unlawful interview questions for SMEs, covering the Equality Act 2010, what you can and can't ask, and what it costs to get it wrong.
By Kerry Bonfiglio-Bains March 20, 2026
A practical guide to salary reviews in 2026. Understand pay structures, National Living Wage impacts, benchmarking, and how to avoid inconsistency.
By Kerry Bonfiglio-Bains February 25, 2026
Statutory Sick Pay, maternity pay and payroll thresholds increase from April 2026. See the new SSP rates, family leave payments, Lower Earnings Limit and what UK employers must update now.
By Kerry Bonfiglio-Bains February 24, 2026
UK National Minimum Wage and National Living Wage rise in April 2026. Check the new hourly rates, payroll cost impact, common compliance risks and what employers must do now to stay compliant.
By Kerry Bonfiglio-Bains February 23, 2026
Small Business UK Employment Law Checklist 2026. Review contracts, SSP, flexible working, harassment duties, ACAS compliance and minimum wage updates to reduce legal risk.
By Kerry Bonfiglio-Bains February 21, 2026
How to prevent workplace sexual harassment under UK law. Understand the strengthened preventative duty, “all reasonable steps” requirement, third-party risk and employer compliance in 2026.
More Posts