The impact of GDPR on
HR & Recruitment

The General Data Protection Regulations (GDPR) is a new set of European regulations that will overhaul existing Data Protection laws and come into force on 25th May 2018. The regulations effectively standardise rules across the EU and the UK has committed to observing GDPR even after Brexit. It’s going to have far reaching consequences for how business look after their personal data, and to enforce these new regulations GDPR will also allow for significant fines for companies who breach these new rules.

For many companies, their IT, legal, and compliance departments will be tasked with picking up the preparations for GDPR. However, there are still some important areas which will impact the Human Resources department, and it’s important that you’re prepared to ensure the impact to HR and recruiting is minimal. Additionally, almost every company must appoint a Data Protection Officer, so make sure you’re aware of who yours is and engage with them early.

Many of your suppliers will be reviewing their terms and conditions of use to ensure they’re compliant. This may mean that you need to have your legal teams review new contracts, and potentially consent to new terms (such as destruction of data after a fixed period).

Of the new GDPR, Ian Hudges, CEO of Consumer Intelligence Ltd, says of the new regulations: “GDPR is as much a part of a consumer’s property as the contents of their house. You wouldn’t go into their house and take their property without their permission, and you can’t take their data without their permission. That means you need to give people a reason to want to share their information with you. Companies that focus on what is the benefit for the customer, and are trusted by the customer not to abuse the property they are giving, are more likely to get consent than those who don’t. You have to see GDPR through a customer lens in order to succeed in being compliant.”

Erin Gilliam, Content Marketer at Mopinion, adds: “There is talk of companies being potentially subject to fines issued by data protection authorities should they fail to adhere to protocols. These are said to be fines that are proportionate with the size and/or revenue of the company, meaning that they’re likely to go after the larger companies first. However this doesn’t necessarily mean smaller businesses are in the clear as many of these larger corporates happen to work with smaller, niche SaaS providers (third party software).

“What’s also interesting is that many businesses, despite the upcoming changes in legislation, still have a lax attitude towards the whole affair, which is perhaps a bit unwise. It’s likely that businesses won’t feel pushed to take action until they witness a few large incidents among other businesses.”

To make things simpler to understand, we have split our guide into two parts; firstly, for recruitment, and secondly, for existing employees.

Recruitment considerations

When sourcing CVs

When asking candidates to send in CVs, you’re asking for personal information. Whether this is via a job board, an employment website, or directly via an email, you need to provide information on how the data will be processed (or used), how long it will be retained for, and if the data they shared with you will be transferred overseas (if, for example, you have multiple offices).

You will also be required to provide more information around how an individual can determine if you hold data on them, how they can check what this, how they can rectify the data it if is incomplete or wrong, and how they can enact their ‘right to be forgotten’.

Supplier tip: One of the key changes is that whoever collects the data is then responsible for how it is treated (even by other companies). If you get CVs from recruitment agencies or job boards, they’ll be looking to ensure they’re covered for any access requests from candidates. Because of this, they may ask you to sign new terms and conditions such as destroying the data after a fixed period, so make sure you understand any new T&Cs!

Security for CVs

Once you have received the CV, there are some important considerations from both a technology and people perspective.

Your IT department will need to ensure you have a secure process that covers the storage of electronic documents with personal information. This may be in the form of recruitment or HR software, or in password protected files. You will also want to review who is able to access these, and for how long they are kept.

You should also be reviewing your document management systems. Suppliers may make you agree to destroy copies of CVs or personal data, but the individual who sent in the CV may also make requests to find out what data you hold on them and amend or remove their data from your system. To prevent future issues, you should focus on the process now.

It’s also important to revisit your people policies. One of the biggest changes to data breaches is that they need to be communicated to both the regulator and the individual(s) effected within 72 hours. This means that any oversight could have a negative impact on your company’s public perception. One of the key fears for any business is a staff member leaving with access to private company data. This would apply to employee data, as well as customer data from your core business activity.


Fabio Grech, Partner and Head of Employment and HR at Cardiff law firm, Berry Smith LLP says that “many have criticised our existing Data Protection laws as being somewhat toothless. But under GDPR, workers will have extended rights so, in addition to a right to inspect personal data held about them, workers may be able to insist their data is erased, rectified, restricted or not processed at all. Combined with a much tougher enforcement and penalty regime for non-compliance, businesses who ignore GDPR tread a very thin line. We might find that asserted GDPR breaches are one of the first (and easiest) lines of attack in any employment dispute.”

If you think GDPR is scary, you’re not alone. Many businesses are going to be trying to understand their requirements to protect themselves, their employees, and their customers. With this panic, there will be many late in the day requests for new ways of working, or different terms and conditions.

By understanding more about how GDPR will impact your business, you can negate any negative impact, and help us all reap the benefits of feeling more secure when we give our personal data our to your company.


  1. Identify your Data Protection Officer
  2. Ensure you website terms and conditions are compliant
  3. Proactively engage with your suppliers to ensure you are aware of any changes
  4. Revisit your People policies. Retrain if required.
  5. Review document management processes and software

Erik Severinghaus, SpringCM‘s Chief Strategy Officer & Global Head of Alliances, also advises: “The basis of this requirement is the idea that no EU citizen should have a potentially significant decision with a negative impact made without human eyes on it. This extends to many areas such as judging work performance and financial situations.

“In terms of how business approach it, they must establish best practices that are in keeping with and guided by concepts like Privacy By Design like:

  • Minimizing the amount of unnecessary data kept on-hand – i.e., not retaining identifying user data infinitely just for the sake of having it.
  • Creating an internal culture built around understanding and appreciating data privacy, monitoring processes and being aware of how user data is treated in the day-to-day.
  • Building out systems that make it difficult to violate data privacy regulations (e.g., workflows that make individualized user data easy to manage and fully delete on a record-by-record basis).”

Share This

Written by - David Bowen, Bowen Eldridge Recruitment

Date - 24/10/2017