GDPR compliance for recruitment agencies

GDPR is not as scary as lawyers make it sound

I handle compliance questions from recruitment agencies regularly. Most of them come to us worried they're going to get fined. They've read horror stories, talked to a data protection consultant who charged them 5k for a report full of jargon, and they're still not sure what they actually need to do.

Here's the reality. GDPR is a set of rules about how you handle personal data. For recruitment agencies, it's mostly about candidate data. The rules are sensible. If you handle people's data respectfully and transparently, you're already most of the way there. Let me break down what actually matters.

Lawful basis: use legitimate interest, not consent

You need a legal reason to process candidate data. Most agencies think they need consent for everything. They don't. For sourcing candidates and matching them to jobs, the correct lawful basis is legitimate interest. You have a legitimate business interest in finding candidates for your clients. Candidates have a reasonable expectation that recruiters will contact them about relevant opportunities.

You do need consent for marketing emails, newsletters, and non-recruitment related communication. But for the core activity of recruitment, legitimate interest is the right basis. The ICO (the UK regulator) has confirmed this. Document your legitimate interest assessment and keep it on file.

The 5 candidate rights you must support

Right of access. Any candidate can ask what data you hold on them. You must respond within 30 days. Your CRM should let you export a candidate's full record quickly. If it takes you a week to pull this together, your system isn't fit for purpose.

Right to rectification. If a candidate says their data is wrong, you must correct it. Simple. Update their record.

Right to erasure. Candidates can ask you to delete their data. You must comply unless you have a legal obligation to keep it (like an active placement contract). In practice, this means removing them from your database entirely. Your CRM needs a proper delete function, not just an archive.

Right to object. A candidate can tell you to stop processing their data. Respect it immediately. Remove them from all active searches and campaigns.

Right to portability. Candidates can ask for their data in a standard format so they can take it elsewhere. A CSV or PDF export covers this.

Data retention: set it and automate it

You can't keep candidate data forever. The general guidance for recruitment is 2-3 years from last meaningful contact. After that, either delete the record or get fresh consent to keep it. "Meaningful contact" means they applied for a role, you had a conversation, or they were submitted to a client. A bulk email they didn't open doesn't count.

Set up automated retention rules in your CRM. Flag records approaching the retention deadline. Send an automated re-consent email 30 days before deletion. If they don't respond, delete. This should run in the background without anyone on your team having to think about it.

Privacy notices in plain English

Your privacy notice needs to tell candidates: who you are, what data you collect, why you collect it, how long you keep it, and how they can exercise their rights. Write it in plain English. Nobody reads a 15-page legal document. One page, clear language, on your website and linked in your email signature.

Include it in your application process, on your website footer, and in your initial outreach to sourced candidates. The first time you contact someone, include a line like: "You can see how we handle your data in our privacy notice [link]." That's it.

The practical steps to get compliant

Audit your data. Know what candidate data you hold, where it's stored, and how old it is. If you have records from 2018 with no activity since, delete them. Set retention rules. 2-3 years, automated. Write your privacy notice. One page, plain English. Train your team. Everyone who touches candidate data needs to understand the basics: don't share CVs without purpose, don't keep data longer than needed, respond to data requests within 30 days. Check your processors. Any third-party tool that holds candidate data (your CRM, email platform, job boards) needs to have a data processing agreement in place.

What an ICO investigation actually looks like

The ICO has fined recruitment agencies. Usually it starts with a candidate complaint. They asked for their data to be deleted and the agency ignored them, or kept emailing them after they objected. The ICO writes to you, asks for evidence of your data protection practices, and reviews your response. If you can show you have a retention policy, a privacy notice, and a process for handling data requests, you're in a strong position. If you can't, that's when fines happen.

The fines for small agencies are typically in the thousands, not millions. But the reputational damage is worse than the fine. Get the basics right and you have nothing to worry about. For more on running a compliant agency, read our guides on recruitment software in the UK, building a candidate database, and starting a recruitment agency.