The basics of UK GDPR for recruitment

The basics of UK GDPR for recruitment

Brexit threw a lot of things up in the air so there’s been a lot to keep track of, not least GDPR.

With the UK now no longer a member of the European Union, EU GDPR no longer applies to businesses operating solely in the UK, unless they provide goods or services or monitor behaviour of individuals in the EU.

But, this doesn’t mean you can take your foot off the pedal – through Brexit, the UK has developed a new set of legislation called UK GDPR. To all intents and purposes, UK GDPR is pretty much the same as EU GDPR so any preparation, policies and practices you put in place with the implementation of GDPR in 2018 should still stand.

It’s always good to review and make sure you’re watertight, though, so what does UK GDPR mean for recruitment?

We’ve laid out the basics we think are most important for you to consider!

You need a privacy notice

As an employer, you need to make sure applicants of your job vacancies know what data you need from them, why you need it, what you’ll be doing with it and who you’ll be sharing it with.

The best way to do this is by developing a privacy notice, which should also include the legal basis for processing data and how long you need to keep it. You can find a template for creating a privacy notice on the ICO website here.

Many businesses have their privacy notice clearly available on their website and link to it in job adverts. You could also send it directly to applicants and, if you’re using an external recruitment agency, you need to make sure that they have access to this too.

Keep data only for as long as it’s necessary

UK GDPR dictates that you can’t keep personal data for any longer than you need it. This means that it’s up to you to stipulate how long you need the data for (and of course make sure it’s clear in your privacy notice!).

There are a couple of things to bear in mind when deciding how long you’ll keep the data of applicants. First of all, there’s always the potential for an unsuccessful applicant to log a discrimination claim against you (even if you did everything by the book!). For this reason, it’s a good idea to keep data on record for six months so that you can respond to any employment tribunal cases that might come about. Once the time limit you’ve set is up, you need to destroy personal data.

Another thing to think about is if you want to keep their data for any future recruitment rounds. In this case, you need to make sure that you have consent from your candidates.

You also might want to think about unsolicited personal data, such as speculative applications and CVs. If you plan on keeping this data, you need to make sure that’s clear in your privacy notice or, if not, you should be clear in your policies that you will delete it if you’re not recruiting at the time.

Don’t make decisions purely on automated processing

Under UK GDPR, candidates have the right to not be subject to a decision based purely on automated processing. This means that, if you use an applicant tracking system or a similar programme to automatically filter out candidates without a human verifying the results, you could be in breach of UK GDPR.

There are some exceptions to this, such as situations where it’s necessary for performing a contract. One example of this could be receiving an exceptionally high number of applications – but this would probably be thousands, rather than hundreds in order to justify zero human intervention!

Another exception though is by gaining explicit consent from applicants to process their data in this way, which means their consent needs to be confirmed in a written statement. You can write this statement for them but you need to make sure that it’s clear that the applicant has agreed, either through a signature or a tick box. If you’re going down this route, you also absolutely need to make sure that applicants understand how they can request human intervention – even if they consent to automated decision making, this doesn’t overrule their right to human assessment if they ask for it!

The ICO have provided a good guide to automated decision making here.

Consider third parties

Many businesses use recruitment agencies to support recruitment of new staff, which means a third party will be responsible for controlling and processing applicant data on your behalf.

Even though you’re handing over the bulk of the responsibility, this doesn’t mean that you don’t need to think about it! You need to make sure that you are completely satisfied that the recruitment agency you’re using meet their UK GDPR obligations.

The recruitment agency will need to make sure that they are clear in how they use applicant data information with yourself and the candidates, and that they identify themselves in any job ads.

Once you receive applicant information from a recruitment agency, you then have a responsibility to inform the applicant who you are (i.e. which organisation now has their data!) and make sure they know how you are using their data. Or, if you don’t want your business to be identified just yet, you need to make sure that the recruitment agency is only sending anonymous data – but you should let them know who you are the second you pursue their application further.

Summing it all up, UK GDPR isn’t all that different to the EU GDPR. This means that any GDPR prep you’ve already done should still be valid! But it’s always best to review and make sure everything is wrapped up tightly to make sure you’re on the right side of GDPR – make sure your GDPR privacy notice is solid, don’t keep hold of any data you can’t justify needing, ensure you’re not making decisions purely based on computer systems and only use recruitment agencies who are keeping up with their GDPR obligations!

For more information on UK GDPR, full legislation can be found at or, for a version that’s a bit easier to digest, visit the ICO website and read their thorough ‘Guide to the UK General Data Protection Regulation (UK GDPR)’.