HM Insights

GDPR and employment - the application of new data protection rules to the recruitment process

The General Data Protection Regulations (GDPR) are upon us. Many employers have made changes across their business in relation to key business-wide issues, such as privacy notices, data cleansing and gathering consent.

The work will continue past 25 May 2018, when GDPR goes live.

This blog is the start of a series of brief guides to employers on the necessary considerations and practical action points that may need to be taken in consequence of GDPR. We will do this by taking you through various points in the employment life cycle, or in key contexts, starting firstly with recruitment.


New recruitment process, new data protection risks

What method will you be using for recruiting individuals? If you are adopting a new method or process, such as online applications, for the first time then you will be required under GDPR to undertake a data protection impact assessment, which is effectively a risk assessment for data processing activities. This needs to detail the new process and provide an assessment of its necessity and proportionality in relation to the purpose, as well as an assessment of the risks to individuals and measures in place to address such risks. Considerations about the process should involve who will have access to the personal data, how will it be stored and how long for.


The receipt of an application, whether submitted online or as a paper version, will inevitably involve the handling of an applicant's personal data. In order for this processing to be lawful under GDPR the employer must have a 'privacy notice'. A privacy notice sets out to the applicant how and why their personal data will be processed and stored by the employer. An employer could also use the legal basis of taking steps to enter into a contract with the individual.

Further, GDPR restricts employers in terms of both automatic decision-making and profiling of individuals' personal data when there is no human involvement. HR tools for online application sifts may use such techniques. However, this can be carried out where the processing is necessary for the entry into or performance of a contract, which would be the applicable legal basis for employers rather than consent.

Employment contracts

GDPR has changed how organisations can ask for consent to process personal data. Consent under GDPR will not provide a valid legal ground for processing where there is an imbalance of power between the individual and the organisation.

Accordingly, many employment contracts will be inaccurate or out of date, as they often refer to the employee consenting to the employer's processing of their personal data. If you are issuing a new employment contract, we should review your data protection clause to ensure it is suitable for the change in legislation and correctly identifies a lawful means of processing data.

The end of the process and retention of data

Once the applicant has been selected then that will not necessarily be the end of the process in terms of data protection considerations. As noted above, you will need to consider how long you store the applicants' personal data for. This is particularly relevant to new and revised rights that GDPR affords to individuals, including but not limited to:

  • the right to be forgotten - individuals in specific circumstances can request for their personal data to be deleted where there is no compelling reason for it to be held. This may be an issue where a failed applicant reapplies at a future date;
  • the right to restrict processing - an individual can ask for the processing of their data to be blocked or suppressed. This may present problems if failed applicants are given reasons for why they have been unsuccessful; and
  • data subject access requests - this existing right for individuals has been modified in terms of the scope of data it applies to and also the timescales involved, both more onerous for an employer.

It's always advisable to seek specialist advice (from us!) if disgruntled applicants make any representations about being unsuccessful in applying for a job. As the GDPR beds in, it's particularly important to comply when faced with requests.

Retention of personal data from recruitment processes also involves other considerations beyond the GDPR, such as dealing with the potential risks of a discrimination complaint from a failed applicant.

We can help

Our specialist data lawyers work hand-in-hand with our specialist employment lawyers and HR specialists to provide balanced and technically sound advice. We can help solve any problems and guide you through any queries you may have. Please get in touch if we can help.

Get in touch

Please contact one of the employment law team if you would like to discuss how we can assist you in relation to employment tribunals.