4 common misconceptions about GDPR: areas where recruitment businesses may make costly mistakes and need to take action ASAP

Written on 15 Aug 2017

The GDPR comes into force in May 2018 and we are now receiving many requests for advice and assistance. Clearly many recruitment companies are starting their compliance programmes, and we think that most companies will take at least 8-10 months to get ready – so time is short.

What is becoming increasingly clear is that there are some incorrect assumptions in the recruitment industry about what the GDPR will require you to do.

We think it is important to make people aware of 4 common GDPR misconceptions which may otherwise mean you are non-compliant in 9 months’ time.


1. “We rely on consent from candidates (e.g. when they come on our website) – we’ll just need to beef that up”

This is a misconception because (amongst other things):

  • Consents have to be explicit and relate to how you are about to process the data – implied or “old” consents will not work, and it will require far more than upgrading what you do at the moment.
  • How will you get consents from people whose details are scraped by your consultants off LinkedIn? This will involve a lot of thinking and may involve major changes to how you engage with candidates so that valid consents are given.
  • Consent is not the only issue and in some cases may limit rather than deliver compliance. Recruitment companies should look also at ways (other than on the basis of “consent”) in which they can lawfully process data – you will need advice about the options and then need to do a lot of work to implement.

2. “Recruiters can lawfully process personal data obtained from well-known social media sites – the social media companies will get consents and passport information on to us. That is their business and they will sort it out.”

Obviously the social media companies are looking at what can be done, but generally this is a misconception because:

  • Third parties such as social media companies can obtain consents for whatever processing they do, but this will not cover whatever you do with the data (which they will often not know themselves) – you will need your own right to process and that will, if consent is what you are relying on, require consent to your use.
  • Even if some sort of solution was available for corporate members of these sites, how will that solution apply when your recruitment consultants use their personal profiles to find candidates/collate information? And it will not be easy to find a solution for corporate members which does not involve some sort of complex agency solution, which will transform their and your commercial models.

3. “Software ‘solutions’ will deliver GDPR compliance”

Obviously CRM and ATS software providers are looking at how they can help but generally this is a misconception because:

  • The GDPR is not just about technical processes, it’s also about organisational measures and “accountability” in a broader sense.
  • For example, what about training? Raising awareness and training your staff is a key part of GDPR compliance – and goes far beyond simply implementing a new software solution.

4. “RPOs, MSPs, VMSs and others involved in staffing supply chains will have a lawful basis for processing all data received from clients, second tier suppliers and payment intermediaries”

All in the supply chain will no doubt be looking at what can be done, but generally this is a misconception because:

  • Third parties (such as clients, RPOs, MSPs, VMSs and 2nd tier suppliers) can obtain consents for whatever processing they do, but this will not cover whatever someone else does with the data – you will need your own right to process and that will, if consent is what you are relying on, require consent to your use (if indeed consent is the best basis for you – it may be better for you to find other lawful grounds for your processing).

Obviously the penalties associated with breach, and the likelihood that clients, RPOs and MSPs may soon start deselecting any suppliers who cannot show full compliance, mean that this will be a critical issue for recruiters in the next few months. We are also now seeing this come up as a key area of concern for prospective investors in recruiters and in M&A deals.

We therefore urge all readers to take action (if they have not yet done so) as soon as possible to ensure they are GDPR-ready and thus able to preserve the hard-won value of their business.

Please let us know if you would like details of our GDPR-readiness packages for recruitment companies, including information about our fixed-price methodology.