The General Data Protection Regulation (GDPR) is now in force in the UK (from 25 May 2018). The aim of the GDPR is to establish a modern and harmonised data protection framework across the EU. The new framework imposes strict duties on employers in relation to the processing of personal data, with potentially very large fines for a breach of the rules (up to €20 million, or 4% of the organisation’s total worldwide annual turnover if higher). The Data Protection Act 2018, which largely came into force on 25 May 2018, supplements the GDPR in the UK in certain areas. 

GDPR applies to data controllers and processors, as an employer receiving applications you fall into both categories.

How does GDPR directly impact the recruitment process?

Under the Regulation, when an employer collects personal data about an applicant during a recruitment process, whether this is directly from the applicant or from a third party such as a recruitment agency, it must provide the applicant with an information notice, also known as a privacy notice or fair processing notice.

This notice must set out certain required information, including the purposes for which the data will be processed, the legal bases for processing and the period for which the data will be retained. The employer could provide the information notice on its website, send a link or copy of the notice in correspondence to individual applicants. Where the employer uses a third-party recruitment portal, it could ensure that the details of the vacancy include a link to the information notice

If you have not done so already you should put in place policies set out for how long recruitment data will be retained. It is accepted that the employer will need to retain some candidate data for responding to potential employment tribunal claims arising out of the recruitment process. The employer should retain only the minimum data required for this purpose and only until the relevant limitation periods have expired.

If the employer intends to keep the details of unsuccessful candidates on file for future recruitment rounds, it must notify them of this in the privacy notice. It should either obtain the candidates’ consent or notify them of their right to object (if it relies on its legitimate interests as the legal basis for processing).

The policy should cover how the employer will deal with unsolicited personal data, for example, CVs submitted on a speculative basis. The policy could state that if the employer receives an unsolicited CV at a time when it is not recruiting, it will delete the CV and inform the candidate of this. If the employer holds unsolicited CVs on file for future recruitment rounds, it must inform the candidates of this in a privacy notice, along with the other required information.

Candidates have the right under the GDPR not to be subject to a decision based solely on automated processing, for example, automated shortlisting where candidates without a certain level of qualification are automatically filtered out before the applications are considered by the recruiters. Under the GDPR, employers can use automated decision-making only if it is:

  • necessary for entering or performing a contract, which could be the case if there is an exceptionally large volume of applications for each vacancy, for example;
  • authorised by law; or
  • with the candidate’s explicit consent.

If an employer does use automated decision-making, it must advise candidates of this in the information notice. It must also provide safeguards for the candidates, by allowing them to contest the automated decision and by giving them the right to an alternative means of making the decision, using human intervention.

If an employer uses third-party recruiters, for example, a recruitment agency, where the recruiter processes applicant data on behalf of the employer, the recruiter will be a “processor” and will itself have obligations under the GDPR. The employer must ensure that its relationship with the recruiter meets the requirements of the GDPR, for example, it must be satisfied that the processor will implement appropriate technical and organisational measures to ensure the protection of the rights of the data subjects.

So, what’s new, how does this differ from DPA?

GDPR Compliance

The key elements of GDPR are accountability and data governance

Controllers and processors need to implement the regulation AND demonstrate that they do so – demonstrate being the key point.

Applicants have additional rights under GDPR in respect of how their data is handled and specifically the right to be forgotten – for example, if I decide to withdraw from a recruitment process I have the right to request that my information is deleted.

However, as stated earlier, the employer also has the right to retain basic information relating my participation in a recruitment drive under the guise of ‘legitimate interests’ for the purpose of responding to potential future employment tribunal claims. The information retained must be specifically relevant & can only be held for the limited time period.


It is important to note that consent must be obtained. Companies need to put tracking mechanisms in place to ensure they can both gather consent efficiently, maintain it and PROVE that consent has been obtained.

Documentation of consent is crucial!

Assuming consent has been given when a candidate sends you their CV is not acceptable. Employers must inform applicants of their privacy policy AND they must obtain confirmation that the applicant accepts this policy.

Regardless of how you receive applications, obtaining candidate consent is your responsibility as the ‘data processor’.

Yet this is where many companies are falling short. I have viewed many ‘careers’ pages over the last few months with companies (large and small) who are still simply requesting applicants to ‘submit a CV’ or ‘Complete an application form’ and email or post the application.

Many of these companies do not have a Privacy Notice relating to candidate applications, nor do they request applicants consent to share and store information.


This company has not displayed any Privacy Notice or asked the applicants for consent to share data.

Another example:


This company uses an embedded ‘application form’ or data capture form on its website. Whilst this is arguably more secure than email again the company has no privacy policy relating to collecting and retaining candidate information. There is no consent or details on how information will be shared in the organisation. If you use embedded data forms such as this ask your web developer to insert your privacy notice as a link and a ‘tick box’ to confirm applicants accept your policy.

To be GDPR compliant if you receive applications either by email or post you should contact the applicants ‘data subjects’ and send them a link to your privacy policy. You should be able to provide evidence that you sent notification of your privacy policy and informed the applicant of their rites. You could send them an email to confirm receipt of the application and include a link to your Privacy Notice.

Below is an example of the wording you could use:

Dear xxx

Thank you for your application. XXX Ltd has collected and stored your CV/Application and contact details.

We process this data for recruitment purposes only. We are storing this information on/in {insert details of how you intend to store information if not using an applicant tracking system}. We will keep this information until the open role is filled, when that period is over we will either delete your information or inform you that we intend to retain it for consideration for future opportunities.

Here’s a link to our privacy policy {insert link}. In this policy, you will find information about our compliance with GDPR (data protection law.) You can find how to send us a request to let you access your data that we have collected, request us to delete your data, correct any inaccuracies or restrict our processing of your data.

You have the right to lodge a complaint about the way we handle your data with [supervisory authority] or you can contact our [DPO] at [contact details] for more information or concerns.

Kind regards

HR Department,  XXX Ltd

Recruitment tracker

Spreadsheets are the most commonly chosen method of tracking applicant information when not using an ATS. But spreadsheets have their limitations, you cannot attach CVs so therefore you will be storing personal data across several access points. This exposes you to risks concerning GDPR compliance as the audit trail is not linked or fully transparent with multiple access and version control.

Spreadsheets can be easily duplicated & modified without the owner’s knowledge and this puts applicant data at risk. Having multi-layers of storage for applicant data makes erasing and correcting data cumbersome.


One of the most essential elements of GDPR is the data subjects ‘right to be forgotten’ and then the length of time data can be stored for.

And whilst there are ‘legitimate’ reasons for companies holding applicant data in relation to employment tribunals, applicants do have the right to request their details to be deleted.

If you are collecting and sharing CVs and application forms by post or email, it would be harder to track who has downloaded the information or even printed it to review. You should have in place strict policies and procedures pertaining to who can access CVs and application forms and filing systems that are only accessible to certain personnel.

Data must be destroyed, with a record kept confirming destruction. If using CVs, emails and spreadsheets you will need to ensure you can delete applicant data from all data entry points, this can be hard to track if you don’t have a connected system.

When using an ATS, however, this process should be much easier, most ATS systems will have a ‘delete data’ ‘delete applicant’ function, removing all trace of the application and all personal information.

Delete candidate

Most ATS systems will also have automated purges of information, removing candidate data at set time points, be that 12 months, 24 months in line with how long you have set out in your privacy notice.


Most applicant tracking systems will have updated their systems to ensure that they and their clients are compliant with the new regulation.

Applicants are required to ‘tick’ a consent box confirming that they have received and read the relevant privacy notice.


Good practice would recommend both the ATS provider and the Employer display their individual privacy notices.


Keeping your applicants informed and your communication ‘transparent’ is a key element to GDPR.

An ATS such as LANDED can help you create communication email templates that will support your Privacy Notice and GDPR policy, as well as giving applicants a smooth and consistent applicant journey across your organisation, not to mention freeing up time dedicated to ‘admin’ and process.


If you aren’t using an ATS, you should consider investing in one, and if you do it is important to ask the following in reference to GDPR.

  • Do they have GDPR safeguards as data processors?
  • If they aren’t an EU company, they should either be part of the Privacy Shield (for U.S. companies) or be ready to sign effective data processing agreements that oblige them to follow GDPR’s guidelines.
  • Where do they store their data?
  • Your chosen ATS should also be able to tell you where they store their data and how they ensure this data is protected. They should have data processing agreements in place with those subcontractors.
  • Can you have access to their policies? Ensure you review their privacy policies to be certain they comply with GDPR and can adequately protect candidate data.

GDPR does not have to restrict your recruitment process, but it is important in this digital age that you take steps to ensure you protect personal information. LANDED Hiring Software is a recruitment marketing & applicant tracking platform, built on an agile stack platform. We are able to adapt to the ever-changing technological world. Our technology ensures our clients are compliant with all recruitment legislation, including GDPR.

If you want to find out how LANDED can help you create a fool-proof job offer letter, along with other branded and customisable communication materials get in touch with us today.

Our friendly Client Account Manager, Lauren, would be happy to show you how we can create solutions to your recruitment problems and save you time and money in the long run. Click here to schedule a free demo or sign-up for a 14-day free trial today.