Latest insights from our experts

Dan Griffin

Posted 20 February 2018
by Dan Griffin

Recruiters, Are You Ready for the GDPR?

Disk and padlock.

The EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018. If you are a recruiter then you should be concerned about the GDPR. Compared to most businesses, recruiters regularly process large amounts of personal data so they will need to understand the new regime and are likely to be targeted for enforcement action.

How Tozers can help recruitment agencies comply with the GDPR

We will provide you with documentation, advice and training which addresses the greatest risks to recruiters in the most cost-effective way. We target this in the following areas:

Candidate data

What you need to consider:

  • Obtaining consent to use candidate’s data will become difficult so consider an alternative lawful basis for processing such as a legitimate interest
  • Candidates gain enhanced rights to access personal data and have the right to be forgotten. Candidate data needs to be easily transferred or deleted
  • Recruiters become directly responsible to candidates for breaches by data processors such as payroll or umbrella companies.

What we can do to help:

  • Assess whether your candidate data is obtained and processed correctly and provide checklists for dealing with candidate data, including advising on obtaining consent
  • Provide written guidance on responding to candidate requests for data
  • Review and amend your contracts with suppliers of data processing services.

Employees’ data

What you need to consider:

  • Check your procedures and policies for ensuring employee GDPR rights, e.g. to have their data deleted or to comply with a subject access request
  • Review your employment contracts and data protection policy to ensure staff are contractually required to comply with the GDPR
  • Ensure you have procedures in place to detect, report and investigate data breaches.

What we can do to help:

  • Assess whether employee data is processed correctly
  • Provide GDPR compliant employment contracts and a data protection policy
  • Training for HR and management on how to comply with the GDPR.


What you need to consider:

  • All recruiters must display a detailed, GDPR compliant privacy notice on how personal data is used.
  • Deemed consent or pre-ticked boxes are no longer sufficient justification for sending marketing emails. Consent must be opt-in and website forms may need amendment to achieve this.
  • Existing marketing contact databases will need to be audited for compliance, old data will need to comply with the new rules once they come into force.

What we can do to help:

  • Provide new GDPR compliant privacy and cookie notices
  • Amend your website to ensure email addresses are obtained by proper consent
  • Provide guidance on how to record and store marketing contacts.

Speak to our data protection team on 01392 207020 or email

Want to know more?

Request a call back or ask us a question using our quick-contact form.
Alternatively you can call us on 01392 207020.

About the author

Dan Griffin

Dan Griffin

Associate Solicitor

Associate within commercial litigation