Five things every recruitment leader should know about GDPR

people at work having a discussion

While 2017 saw key markets growing, a number of major legislative changes began to take shape or loom on the horizon. From Brexit to the General Data Protection Regulation (GDPR), we’ve summarised several changes that will have significant business implications in 2018 in our latest Recruitment Outsourcing Insights report.

In our global survey of over 500 HR and resourcing professionals, over 35% felt that the GDPR deadline will have the greatest impact on how they operate.

“With just a matter of months to go until GDPR lands, it is no surprise that a third of respondents believe the legislation will have the greatest impact on their business,” says Ann Swain, Chief Executive of the Association of Professional Staffing Companies (APSCo).

With the aim of harmonising data privacy laws across Europe, the GDPR deadline will see those that work with personal data needing to appoint a Data Protection Officer or a Data Controller to take charge of GDPR compliance. Organisations that do not comply with GDPR can expect fines of up to 4% of annual global revenue, or €20 million, whichever is greater.

“Another point to consider is that companies need to ensure their technology meets data protection and security criteria,” advises Ian Blake, Director of Business Applications, talentsource at Resource Solutions. “This is specifically relevant in the case of automated search tools that find and potentially interact with candidates and their data without explicit consent. I expect these tools to come under increased scrutiny in the months ahead.”

In late 2017 Resource Solutions hosted clients at a seminar called ‘GD-PoweR: Everything you need to know about GDPR in recruitment’. Here are the top five takeaways:

  1. GDPR applies to any personal data, regardless of whether it’s public domain or not (like LinkedIn biographic info) that is collected or processed within the EU, or targets people in the EU from outside.

  2. Consent is just one of the ways that allows the lawful processing of personal data. Other examples are “Contractual Necessity,” regulatory requirement, and where the Controller has a “Legitimate Interest” which is balanced with the rights of the individual.

  3. Documenting how a Controller or Processor makes decisions is vital if there is an inspection by a Supervisor Authority. As an RPO or MSP, Resource Solutions would continue to be a Processor for certain clients in respect of candidate or worker personal data.

  4. Make sure you have a data breach response plan in place and ensure it is tested and works collaboratively with other departments and third-party suppliers.

  5. Do not keep personal data longer than needed. Building a high degree of trust as to how a brand uses and stores Personal Data is critical.

“However, I’d advise business leaders not to buy into the scare-mongering,” warns Swain. “These laws aren’t about fines: they’re designed to protect personal data – data that ethical companies hold for a legitimate reason. Take the introduction of GDPR as an opportunity to clarify internal data processes and build trust – and your brand – amongst target stakeholders.”

Get more insight into IR35, Brexit and other legislative changes facing the recruitment industry in our Recruitment Outsourcing Insights report.


The above does not constitute legal advice. It is given purely as general information, does not take into account the specific needs of your organisation and does not replace the advice provided to you by your external legal advisors or in-house counsel.


Six trends that will impact the recruitment landscape in 2018