What does GDPR mean for recruiters?

Some say Armageddon most likely and I am inclined to agree but in the medium term, I think it will bring some benefits.

Before we get our feet wet, let me lay out why I believe there is so much ignorance and why so many businesses are at enormous risk.  There are two reason that crop up again and again. The lesser one first:
Brexit has led many people to kid themselves that somehow, they will escape this legal requirement or the fines will be less because of Brexit. This is dealt with further down, just take it from the ICO, this is not the case.
Complexity is the biggest problem. The legal aspects are clear enough to a lawyer, but she knows nothing of the process and technical issues underlying the problem and she is often, through no fault of her own advising on the basis of false or unsafe assumptions. That of course is your problem not hers. Security is fairly straightforward to a security expert, but he knows less of the legal aspects and little of the underlying process issues. The same applies to domain experts and to helicopter seat C levels and directors.  Suppliers are offering advice, but they are not accountable and many are plainly not well clued up either. The result of all this is a catastrophe waiting to happen for someone and nobody is more vulnerable than the recruitment industry.
Let’s get the boring stuff out of the way and just list the really clear points about how this affects everyone in business in Europe including recruiters.

  1. Everyone who resides in Europe is protected, not just citizens and even if we were daft enough to spend tens of millions creating our own flavour, it will end up identical because otherwise we can’t trade with Europe.
  2. It refers to Personally Identifiable Data (PID) and this definition does not exclude data that has the identity removed because it can still be identified via various naughty practices already in use such as remarketing, mobile phone records, post-codes, Facebook etc.
  3. Unless you can prove that collecting and storing this data is necessary to provide your product or service, you can’t collect it and store it. Simply calling them “Passive Candidates” won’t cut ice.
  4. The customer must be aware that you are going to collect it and why and agree overtly, not by forgetting to untick something or not because of a clause buried deep under something else.
  5. You can’t share this data with anyone including outsourced partners such as payroll for example unless a. the customer has agreed, b. you have agreements and processes in place to protect the customer and C. You can guarantee to be able to destroy it any time you wish in all its forms and copies. No sweeping statements or clauses will cover you.
  6. Once you collect PID you are responsible for anything untoward that happens to it regardless of how or who. The buck stops with you (You, meaning the Board Member accountable)
  7. You have to take active steps to ensure that this data is accurate at all times and the customer can make changes and be aware of any changes or additions made by you or agreed partners.
  8. You have to be capable of dealing in a short time frame with requests to see, change or destroy a customer’s data or to pass it intact to a named other business.
  9. You have to be able to produce an audit of all activity to prove that you have received and maintained the permissions and done everything required of you to protect the customer, I.E Compliance.
  10. You have to be able to prove that you carried out impact assessment and have addressed all the impacts you identified. Not identifying obvious impacts will not be a get-out either, by the way.

OK that is not the whole thing in all its glory and detail, but it is a good basis to begin from and it is quite neat to sop on no 10.

To-Be state

Lets refer to the above account as the To-Be state, i.e. where a recruitment firm needs to get to by March next 2018 in terms of mindset at least.


 As-Is state

The current state is truly a shocking sight and without doubt it is, of all he industries, the worst cauldron of data protection crime. It represents pure disdain for the Data Protection laws we have had in place for the past decade, never mind GDPR.


Random collection and hoarding of data

The central theme of a modern recruitment agency is collecting CVs. In fact, if you listen to conversations you will probably come away realising that in their world a CV owns an unfortunate candidate rather than the other way around.


Adding subjective opinions and stolen data

They all run very expensive ATS systems like Bullhorn, Workable, Taleo and many more that parse these CVs, fetch them off job boards, email people for more, cross reference them with social media then steal all the personal information from these sites and much more.

Forcing people to agree to terms

Here is the biggest problem, people’s jobs are super important to them so a recruiter can have undue power and influence for a short time and during this time, if you are told, as indeed you are, that providing this data and agreeing for it to be kept and shared etc is not optional, then you will agree. That is not agreement in a legal sense though and recruiters will be made an example of , no doubt about it.

Assuming ownership of the data

If you tried to get that CV deleted, you would currently be simply refused. I tested this, and if you asked to see what notes they had made and make sure it was accurate, you would be refused. Even if they wanted to, they couldn’t.
Sharing CVs randomly as samples to get the new account
Sharing CVs with no restrictions and no way to control how that data is used or how it can be corrected or destroyed

Sharing sensitive and illegally obtained data
It has been illegal in UK for more than a decade to ask someone their DOB yet I recently turned up to begin an Interim stint at a UK semi-public body to find they had been supplied my DOB and were using it as my initial password to log into their system.
Collecting forbidden information illegally

After some digging I discovered that when they demanded a scan of my passport to prove citizenship, they had read the DOB and entered that, then they had shared the data with their client. No, I am not making it up.
Making a living out of reselling other peoples’ information
There is at least one organisation that takes CVs form recruiters and then rewrites them (a common practice anyhow) and then shares the re-written CV with other recruiters for a fee.
Many requests over the years to delete my record has failed on every attempt. At one point there was a market in bulk CVs sold between CV search boards, hopefully this has stopped.
Job boards will now be permanently responsible for any CV they allow to be downloaded, that should lead to some changes.

Gap analysis

I’ll leave you do the gap analysis . . .   have fun!



Speaking with recruiters in the course of the past week made it clear to me that they are blissfully unaware of these changes, or that their current behaviour is wrong. That leaves a very short window to execute root and branch change of process, culture, behaviour, mindset and technology without bringing productivity to a standstill.


In summary

The sad part about all of this is that recruiters not only gain nothing at all from most of this questionable or illegal behaviour but in fact, it costs them a lot of time, hard discs and worst of all loss of focus on the real value proposition, but old habits are hard to break at least until the first one gets slapped in the face with a fine of 4% of T/O, that will focus some minds for sure.
For these guys we are talking a whole year of EBIDTA, though the good news is it is capped at £20m.

In the long term I predict it will have a painful but beneficial impact on the recruitment industry.

Questionnaire to help you assess your GDPR readiness

Book a free discussion

Call     0844 844 2310