GDPR – Important Changes Affecting Recruitment Agencies

Posted: 23rd October 2024

New EU General Data Protection Regulation – GDPR - changes will come into effect next year, with these changes directly affecting the recruitment industry.

Here we summarise the changes that will impact recruitment agencies, along with tips on making transitions and updates easier.

The new regulations, that will take effect from 25th May 2018, will bring the UK into line with the rest of Europe by focusing on the accountability of organisations that hold personal data on others.

In a bid to remove some of the fear and dread associated with these GDPR changes it’s worth noting that any business that already complies fully with the current Data Protection Act – DPA – will not find these regulation changes too stressful (like anything, there is of course an element of ‘media’ scare mongering currently). As a recruitment agency, if you’ve already got your DPA grounding set the rest should fall into place easily.

Step 1: Knowledge is Power
Take the time now to make sure everyone in your agency is aware of the changes being made to GDPR. Make sure everyone knows the seriousness of GDPR and the impact it will have on them, the business and how everyone must adhere to new policies and procedures.

Step 2: Appoint A Dedicated GDPR Controller
We’re all familiar with the phrase ‘too many cooks’ so appoint one member of your team as the GDPR Controller. This Controller can then manage all communications, ensuring they are up to date and accurate along with organising a central filing system reference point.

Step 3: Review Your Data Now
Go through all the data you have on your contractors and temps, detailing where data came from, where it is stored, who has access to it – both internal and external organisations - and how it has been used. This includes everything – website registrations, spreadsheets, databases, 3rd parties, time sheets and billing information.

The new GDPR regulations want to see how effective your procedures and policies are in handling this sensitive data and how these procedures adhere to the new rules. You therefore need to prove that everything is documented, stored securely and consented to – see step 5 for contractor/temp consent.

Step 4: Awareness of ICO’s Privacy Impact Assessment
At the same time as the new GDPR updates make sure your team are aware of the Information Commissioner’s Office’s – ICO –Privacy Impact Assessment and their Article 29 Working Party as this will need to be operational within your business practices too.

Step 5: Contractor/Temp Consent
Each and every contractor and temp must be clearly aware of how you store, use and even delete their personal data. What’s more, they must then give expressed permission for you to use their data – not only for use by your recruitment agency but also for use by 3rd parties.

To ensure this consent isn’t missed it is advisable to gain this consent at registration and, where possible, build it into an automated system.

When your contractors and temps sign a contract of terms with your organisation you should include details of all of the areas in which their data is used (as above). This ensures all information on DPA and GDPR is open, honest and transparent – a key point to the new GDPR regulations is your ‘intent’ on transparency over data usage.

This should include a comprehensive section on how you effectively delete all their personal data should they leave your organisation.

Step 6: Data Policies and Privacy Information
As we’ve previously mentioned, if you are up to date with your DPA much of this will fall into place with relative ease, as will this step. Ensure that your organisation’s data policies and privacy information is up to date, taking into account these new changes that will alter your existing information.

Remember, privacy information exposure is a legal requirement, it must be written simply and have the express consent from your contractors and temps, again, opt out tick boxes are not acceptable, they must expressly opt in.

Step 7: Data Breach Process
Any breaches in data have the potential for your contractors and temps to fall victim of identity theft or their confidential information being exposed. Therefore, under new GDPR rules if any data breach has occurred you will be required to inform the ICO immediately.

You must also ensure that you have the correct procedures in place that will enable you can detect where the breach has come from and have the means investigate how and why it happened, along with putting in place an action plan to prevent this happening again.

No Compliance GDPR Fines
Again, whilst not to scare monger, the EU do mean business on this. The new GDPR regulations will protect an estimated 750 million people in the EU. Failure to comply with these regulations will see hefty fines being issued – as much as 4% of global income or million, whichever sum is greater!

So, as time is money and money is time, think about GDPR now. Putting in the time now could save you money in the long run. Follow this advice and you’ll be firing on all cylinders come 25th May 2018!


Image courtesy of Stuart Miles at