GDPR for recruiters

GDPR for recruitment, charities and volunteer recruitment
Uncover GDPR for recruitment

As part of the GDPR for Charities series – we must touch on “recruitment” as you will undoubtedly be recruiting one of the highest numbers of people from the volunteer and new starters’ talent pool. As this crosses domains, we’ll approach this subject as if you were a recruiter.

So what does GDPR mean for recruitment?

Let me start by saying – irrespective of the size of your organisation, you will need to adhere to the GDPR policies – even more so as you will be holding data that could potentially influence and (or) directly impact on the data subjects’ rights as an individual and their career prospects.

Now allow me to dissect that statement and demonstrate how it will impact you and what you need to do to ensure you are adhering to the GDPR principles.

Doesn’t matter if you are using a Rolodex™, Microsoft Excel™ or a flashy talent management system, you hold sensitive and personal information about a data subject.  In other words, the information you hold on your candidates (data subjects) is your bread and butter and you will need to protect your asset.

You, your candidates (data subjects) and consent

Under GDPR candidates must give consent for their personal data to be collected and used, it needs to be clear to candidates how the data will be used and candidates can ask for their data to be removed. If a recruitment agency does not comply with this there are some very harsh penalties ranging from a fine of €20 million or 4% of the company’s global turnover.

Don’t get caught out by automation

Any automation you use in your recruitment process based on personal information needs to be opt-in. This means, any profiling you carry out can be carried out on candidates who have explicitly given you permission to do so. Yes and before you ask, this also means prospecting and screening.

Let me paint you a picture. Joe Bloggs (not a real name) is a specialist in his field. As a recruiter in that field you notice that Joe Bloggs has been with Acme Limited (not a real company) for 5 years. You research Joe Bloggs and see that he is interested in a change (based on conversations he has had in a public forum) and you approach him. Joe Bloggs is interested in your proposal and you ask him your screening questions. Great! Joe has cleared your initial screen and you ask him to send you his updated resume.

You are impressed with Joe’s resume and ask him to complete an online in-depth screening interview. Joe completes it promptly. Unknown to you, one of the questions (which you would not normally ask a person in a face to face setting) was asked in the EOM form. Your state of the art system has decided based on the information provided to it by Joe Bloggs that he would not be a good match for your company’s culture.

The system has made a recommendation which is now a part of Joe’s profiling data. Nevertheless, you invite Joe for a formal interview. The hiring manager interviews Joe and finds him a bit “shady”. She then refers to his profiling data and she sees the “red-flags” that your system has highlighted which she takes as validation for not wanting to hire Joe.

Joe is informed that he was unsuccessful in the interview and his resume will be held on file for any future roles that might come up.

In this fictitious scenario, can you spot the number of times GDPR principles were breached (knowingly or unknowingly)?

Don’t worry, this is not a trick question – suffice to say that should Joe challenge you under the GDPR, there will be some serious explaining to be done by you (your company).

  • Firstly, you appended data (see data appending if you are unfamiliar with this) without Joe’s consent even if that information was in the public domain.
  • Next you asked for his resume which (at the end of that unsuccessful interview) your system decided it wanted to retain the information. You never offered Joe the chance to make a choice in that matter.
  • Technically, Joe is everything you are looking for – but you profiled him (without his consent). That profiling was automated (which he did not explicitly agree to). Furthermore you asked a sensitive information question (which may not be necessary for the activity that Joe is going to be undertaking).
  • The hiring manager then validated her decision based on the profiling data produced by an automated system – without the chance for clarification or rebuttal from Joe.
  • Lastly, you did not offer Joe the opportunity to delete his data.

By the way, in case you are wondering, Joe got his dates wrong in a previous job about 7 years ago. He was adamant that it was X when your system profiled that the company did not exist at X date (again, information that was automatically obtained from the public domain).

Yes, this is a fictitious scenario and was written to make a point – but the problems highlighted are very real.

Once again it does not matter if you are using a Rolodex™, Microsoft Excel™ or a flashy talent management system, you should at all times adhere to the principles of GDPR.

Remember: If the decision being made is based on sensitive personal data – for example, relating to ethnic origin or sexual orientation you should get explicit consent to use this information.  However, automated processing should not be used to filter out candidates based on protected characteristics under the Equality Act 2010, as that would be unlawful discrimination.

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at or visit You can also contact us on LinkedIn, Facebook or Instagram.

Leave a Reply

Your email address will not be published. Required fields are marked *