Recruitment Matters explores what steps the REC is taking to ensure all members are GDPR-fit.

The General Data Protection Regulation – better known as the GDPR – comes into effect on 25 May. The REC’s GDPR workshops have sold out across the country, plus a new range of GDPR-compliant documents and policies are available for members on the REC website.

In May, new data protection rules will impose greater obligations on organisations, while giving more rights to individuals about how their personal data is processed.

Recruitment businesses handle significant amounts of personal data daily and should be ready for the coming changes.

There is a lot of concern about the changes, but to quote the Information Commissioner’s Office (ICO), this is an ‘evolution not a revolution’. Data protection legislation has been a facet of UK legislation for 20 years.

The REC has been proactive in preparing members for the GDPR’s arrival. It has produced factsheets, guides, plus model documents and policies that you can use to ensure you’re compliant come 25 May.

Who does the GDPR apply to? 
The ICO has outlined these key definitions:

  • The GDPR applies to ‘controllers’ and ‘processors’. 
  • A controller determines the purposes and means of processing personal data.
  • A processor is responsible for processing personal data on behalf of a controller.
  • If you are a processor or controller, the GDPR places specific legal obligations on you. You are required to maintain records of personal data and processing activities (in certain circumstances). You will have legal liability if you are responsible for a breach.
  • If you are a controller, you are not relieved of your obligations where a processor is involved. The GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
  • The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
  • The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

What information does the GDPR apply to?
According to the ICO, the GDPR applies to ‘personal data’, meaning any information relating to an “identifiable person who can be directly or indirectly identified by reference to an identifier”.

“This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people,” it says. 
The GDPR applies to both automated personal data and to any filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data. Personal data that has been pseudonymised – eg. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to an individual.

What lawful reasons are there for processing personal information? 
Under the GDPR, there are six lawful bases to process an individual’s personal data and 10 lawful bases to process sensitive personal data. Although recruiters are most familiar with the legal basis of consent, it should be noted there are times where it may not be appropriate to only rely on consent. There are other lawful reasons that you can rely on to process personal data.

The six lawful reasons to process personal data under the GDPR (and currently under the Data Protection Act – DPA) are explored in the REC’s GDPR guide. These three are the most relevant for recruiters.

1) Entering into/the performance of a contract
Recruiters will be able to process personal data if processing is necessary for the performance of a contract or is necessary for the data subject to enter into a contract. In practice, this could be when a recruitment business processes personal data to provide their services to a candidate and enter into a contract with them.

2) Necessary for the compliance of a legal obligation
The GDPR will allow recruiters to process personal data when processing is necessary for them to comply with a legal obligation. For example, recruiters have a legal obligation to comply with the Conduct of Employment Agencies and Employment Businesses Regulations 2003 to retain records for at least a year after their creation and at a least one year after the date on which they last provided work-finding services. Other records also have to be kept for different periods of time because of legal obligations, eg. payroll records. You can find more information in the REC’s record keeping table available on the REC website.

3) Necessary for the purposes of a legitimate interest
Currently, the DPA recognises that an organisation may process data for its own legitimate interest or for the legitimate interest of a third party to whom it may disclose the personal data to. A legitimate interest essentially means a legitimate reason to process data. The GDPR highlights that consideration must be given as to whether someone can reasonably expect their personal data to be processed for a purpose. Recruiters will have to determine whether they have a legitimate interest to process a candidate’s personal data.

Find out more about how the GDPR will affect you at

LinkedIn Shutterstock

Legal update: GDPR news

Do recruiters need consent to process personal data?

Legal 17 April 2018