GDPR is a new regulation launching in May 2018 and concerns citizen transactions that happen within the EU. Failure to comply could result in a fine of up to €20 million.

The recruitment industry handles masses of personal data every single day. At Chameleon-i, we want to help get your recruitment agency GDPR-ready and have prepared a useful guide for you to check out.

What is GDPR?

GDPR stands for ‘General Data Protection Regulation’ and it requires businesses to protect the private and personal data of people in the EU.

On the 25th May 2018, the law will be enforced and will affect any organisation holding data on customers, employees or prospects.

The aim is to give citizens more control over their own data and GDPR will serve to replace the 1995 Data Protection Directive.

This regulation will affect any business across the globe, not just within the EU. Any company dealing with the data of EU citizens, businesses or residents will have to comply.

What is personal data?

‘Personal’ data means any information relating to an identified or identifiable natural person.

Examples of personal data include:

  • A name and surname
  • A home address
  • An e-mail address
  • An identification card number
  • Location data
  • An Internet Protocol (IP) address
  • A cookie ID

It doesn’t matter what technology processes the data, whether it be automated and manual processing.

Your data could be stored on a computer, recorded on video surveillance, or written on paper.

Who should be concerned with GDPR?

All organisations that collect and/or store personal data are responsible for adhering to GDPR.

Article 4 of the GDPR states the different roles for personal data process:

  • Controller
    The controller determines the means and purposes for processing personal data.
  • Processor
    The processor is responsible for processing personal data on behalf of a controller

You can find out more information on the contracts and liabilities between controllers and processors in the ICO GDPR guidance report.

What if businesses fail to comply with GDPR?

If a company fails to comply with the new regulation, there are two levels of fines:

  1. A fine of up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher
  2. A fine of up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher

The fines will be decided on a case-by-case basis.

The extent of which, will be ascertained when looking at the intention, the number of people affected and if there are any previous infringements by the controller or processor.

What is a breach of data protection?

A personal data breach is when data that is sensitive, confidential or protected is disclosed without authorisation.

Examples of data breaches include confidentiality, integrity, or availability – such as sending personal data to an incorrect recipient, lost or stolen computers that include personal data, or deliberate or accidental action by a controller or processor.

If a personal data breach occurs and the controller has implemented the technical and organisational measures that are appropriate to the situation – for example, data encryption – communication with the data subject may not be required.

If a personal data breach occurs and is likely to risk the rights and freedoms of individuals, then those concerned directly must be informed without delay (or no later than 72 hours).

The individual concerned must be::

  • Given a contact point where the information can be obtained
  • Given a description of the likely consequences of the personal data breach
  • Given a description of the measures that will be taken or have already been taken

What does it mean for recruitment agencies?

All organisations must be sure that their employees have a clear understanding and guidance on GPDR.

Procedures must be put in place to assure that your agency is transparent to candidates about the collection, storage, and usage of their personal data.

Recruitment agencies will need to focus on responsibility, consent, and transparency.


You must take direct responsibility for your own compliance (and be able to demonstrate all stages of consent between both the candidate and your agency within your records).


Separate consent must be required for separate processing activities, such as vacancy registration and promotional e-mails. From sign-up, the user must be told exactly what their personal data is for.


All CV submissions to employers must be for a valid and specific role. The recruiter must give the candidate vacancy details before the CV is sent.

What do I need to do to prepare my recruitment agency for GPDR?

Data audit completion

  • What data do you hold, where is it held and why do you hold it?
  • How regularly do you review the data for accuracy?
  • How long do you keep the data?
  • What medium are authorised to use?

Once you have worked out the bullet points above, it will be easy to identify the areas and processes of data extraction come the 25th May 2018.

It’s important to be transparent, accountable, and compliant with the new regulation. With a full understanding of the processing of candidate data in your recruitment agency, you will be GPDR-ready.


Make sure all members of your recruitment agency is aware of the GDPR and how it affects them. You must also include any suppliers or job boards you work with or anyone else that has access to your data.

The Data Protection Officer

As a recruitment agency, you undoubtedly have access to personal data, therefore it may be wise to appoint a Data Protection Officer (DPO) or consult legal professionals.

This individual can create and see through a plan of action to ensure compliance before the GPDR comes into effect. They can undertake the creation of documents, onboarding, data processes and candidate’s data and consent.


Over time, candidates may become inactive – the establishment of retention periods will help with up-to-date information and a responsive database.


Active users must be asked if they would like to stay in your database. This can be used as a chance to see if they would like to be updated via other forms of communication.

Data and privacy policies

Review and update your data and privacy policies and inform readers what data you are collecting, and why you are collecting it. They must include:

  • Objectives
  • Topics covered by the policy
  • An outline of why the policy is needed
  • Contacts and responsibilities
  • How to handle violations

The policies must be:

  • Concise, transparent, easily accessible
  • Easily understandable and written in plain language
  • Free

GDPR : a conclusion

The General Data Protection Regulation changes the legal bases for collection and processing personal data. A vast amount of data that is dealt with by recruitment teams on a day-to-day basis,  and with stricter requirements surrounding consent, agencies must be prepared for change.

Transparency is key at every stage of data collection from an individual. All information regarding personal data must be clear and intelligible, as well as easily accessible by agencies.

Now you’re GDPR-ready! If you have any questions, please <link to contact>contact us</link to contact> and we’d be happy to answer