by Kate Russell

Data protection

The collection, processing, storage and usage of personal data is now governed by The General Data Protection Regulation (GDPR) and The Data Protection Act 2018.

Rights During Recruitment

Candidates have the following key rights:

The right to be informed: Under GDPR you must ‘provide fair processing information’. Inform candidates that you are processing their data, and how you do it. Most companies will already have a Privacy Notice that sets this out and providing candidates with a link to this from an online application form is the best way to ensure they are informed. If you have identified a candidate in a different way; for example, at a networking event, or via a recruitment agency, you must provide fair processing information within one month, for example by emailing them and providing a link to your company Privacy Notice. Check that your Privacy Notice includes all the information required by GDPR.

The right of access: Candidates have a right to access their personal data, to have confirmation that your company is processing it and also to have access to any further data that pertains to theirs. This right already existed under the earlier Data Protection Act. There are some changes in the way the right of access must be responded to. You cannot now charge for this information and you must respond within a month. This provision highlights the importance of having a clear picture of where all the data your company processes is stored, so you can access it quickly.

The right to rectification: If a candidate requests data and then spots an error they have a right to have this error rectified within one month. For example if your data contains an incorrect job title, current salary, or wrong contact details, you will need to amend this quickly. Companies that have large recruitment volumes may find that it is easier to allow candidates to access and rectify their data themselves. Providing candidates with a log-in to their personal profile (a candidate portal) is a good way of managing this, and they can also update CVs and other information at their own convenience.

The right to be forgotten (erasure): Candidates can have their personal data removed if they wish. The time limit for this is one month, although there are some exceptions which entitles you to refuse. For example, you may need to retain personal data to comply with a legal obligation, or if you’re processing the candidate’s data for the performance of a task carried out in the public interest or in the exercise of official authority.

Transparency is a key principle of GDPR, so privacy policies should be accessible to candidates at all stages of the application process. Policies should be clear and concise and highlight how you intend to use collected data and for how long.

Example: Reference permission form

If automation processes are used as part of your recruitment process candidates have the right to know this and be given the option not to be subject to a decision if it is likely to have a significant effect.

Only collect data which is necessary and relevant. As a general rule you are unlikely to need sensitive data.

Critically evaluate all the data and questions you ask your applicants; you must also prove that you have critically assessed them.

You cannot hold candidate data indefinitely. You can only keep candidate data for a time period that is deemed necessary. Set out in your privacy policy on what information you intend to keep, how long you intend to store it for and how you intend to manage your data.

If you use agencies, make sure you deal with reputable, GDPR compliant recruitment companies. Receiving candidates from businesses that aren’t processing the information legally could affect you.

The GDPR distinguishes between two kinds of personal data: general information and sensitive information. The level of data security, documentation and the measures you take in case of data breaches and leaks depends on the type of data you want to collect.

Examples of the two different kinds of personal data can be seen in the table:

General information Sensitive Information
Prior offences
Passport, drivers licence etc.
Journal number
Racial or ethnic background
Political, religious or philosophical beliefs
Professional memberships
Health as well as sexual relations or orientation
NI number


As a general rule, you should only collect common information, as sensitive information has much higher information security requirements.

Guidance on processing special category data


In order to be GDPR-compliant with your questions in the job posting, it is important that you not only have a critical look at the data and questions you ask your applicants, you must also prove that you have critically assessed them.

In practice, this means, that you will need a handbook or documented guidelines for questions in vacancies so you can demonstrate due diligence.

It can be helpful to use standardised questions in job vacancies to avoid documentation and argumentation for data collection in all job listings and posts.

Note that you may receive sensitive information from applicants directly (via mail or your recruitment system) and that can become a problem for you. Make sure you take measures to ensure that you do not receive sensitive information from people.


In recruitment, consent to process personal data is given implicitly when candidates apply for a role or upload their details to your candidate portal. You must only process this data for this purpose. This comes under being ‘able to demonstrate a legitimate interest’, i.e. that you need to process their data in order to shortlist them for interview, or identify the right opportunity for them.

Best practice for recruitment agencies is to get consent from candidates to process their data, and especially to pass it on to third parties, i.e. the potential employer. It is worth checking with any recruitment agencies that you work with, that they have got consent from candidates before handling this data. This will provide your business with additional protection against non-compliance.

Make sure you have the right systems and process in place to protect your candidates’ personal data.

Further Reading

ICO Guide to GDPR