How will the General Data Protection Regulation (GDPR) affect the processing and retention of recruitment data by employers?

Under the General Data Protection Regulation (2016/679 EU) (GDPR), when an employer collects personal data about an applicant during a recruitment process, whether this is directly from the applicant or from a third party such as a recruitment agency, it must provide the applicant with an information notice, also known as a privacy notice or fair processing notice. This notice must set out certain required information, including the purposes for which the data will be processed, the legal bases for processing and the period for which the data will be retained. The employer could provide the information notice on its website, and send a link or copy of the notice in correspondence to individual applicants. Where the employer uses a third-party recruitment portal, it could ensure that the details of the vacancy include a link to the information notice.

Employers should put in place policies setting out for how long recruitment data will be retained. The employer will need to retain some candidate data for the purpose of responding to potential employment tribunal claims arising out of the recruitment process. The employer should retain only the minimum data required for this purpose and only until the relevant limitation periods have expired. If the employer intends to keep the details of unsuccessful candidates on file for future recruitment rounds, it must obtain the candidates' consent to this.

The policy should cover how the employer will deal with unsolicited personal data, for example CVs submitted on a speculative basis. The policy could state that if the employer receives an unsolicited CV at a time when it is not recruiting, it will delete the CV and inform the candidate of this. If the employer holds unsolicited CVs on file for future recruitment rounds, it must inform the candidates of this in a privacy notice, along with the other required information.

Candidates have the right under the GDPR not to be subject to a decision based solely on automated processing, for example automated shortlisting where candidates without a particular level of qualification are automatically filtered out before the applications are considered by the recruiters. Under the GDPR, employers can use automated decision-making only if it is:

  • necessary for entering or performing a contract, which could be the case if there is an exceptionally large volume of applications for each vacancy, for example;
  • authorised by law; or
  • with the candidate's explicit consent.

If an employer does use automated decision-making, it must advise candidates of this in the information notice. It must also provide safeguards for the candidates, by allowing them to contest the automated decision and by giving them the right to an alternative means of making the decision, using human intervention.

If an employer uses third-party recruiters, for example a recruitment agency, where the recruiter processes applicant data on behalf of the employer, the recruiter will be a "processor" and will itself have obligations under the GDPR. The employer must ensure that its relationship with the recruiter meets the requirements of the GDPR, for example it must be satisfied that the processor will implement appropriate technical and organisational measures to ensure the protection of the rights of the data subjects.

The GDPR will come into effect on 25 May 2018.