GDPR: What does it mean for candidates like you?


If last year’s Word of the Year was ‘youthquake’, this year’s may well be ‘GDPR’.

Interest in the new EU privacy directive has hit fever pitch, not least for those working in cyber security, IT and digital roles – many of who will be responsible for implementing the legislation in their organisation.

But for all the noise around the change – Google throws up 13 million pages on the topic – confusion reigns. First among businesses, which are unsure about their obligations. Second among individuals.

Candidates for IT roles are acutely aware of the change and concerned about their data rights in the future. So what does gdpr mean for candidates?

This article will explain the regulation from a candidate perspective, including how it relates to personal information held by job boards and LinkedIn – which can often cause irritation for candidates.

What is GDPR?

If you didn’t know, it came into force on 25 May 2018, the GDPR (General Data Protection Regulation) is an EU directive designed to protect individual data rights by limiting how organisations gather, store and process personal information.

The legislation is designed to bring data protection regulations ‘up to date’ with businesses’ and digital service providers’ use of data, today. The legislation applies to all sectors of industry.

Under the legislation, organisations must ensure their customer and contacts consent to being contacted for commercial reasons, or that the organisation in question can justify contact according to their ‘legitimate interest’. Organisations may only process data if doing so provides value for the individual, according to one of six ‘legal bases’ outlined by the legislation.

What does GDPR mean for candidates?

For job candidates, GDPR means having greater control over their data rights. This means:

  1. Being able to instruct recruitment agencies to remove all personal data from their records, and that
  2. Recruiters may only use individual data in activity candidates have consented to, or which the business can justify as being a matter of ‘legitimate interest’.

Once GDPR is implemented, recruitment agencies will also be responsible for making it clear to candidates how they are using their data and, if requested, to stop processing it.

In the main, however, many recruiters will continue to obtain, store and use candidate data in the same way as previously.

To understand why, it’s important to understand how recruitment agencies work.

Most recruitment agencies store only a small amount of information on each candidate they work with. This includes CV information, salary expectations and a limited number of contact details, including name, address, email address and contact telephone number. When a candidate is successful in finding a job, the recruitment agency will likely ask for additional information, which can include passport, banking and reference details.

The first batch of information described above is gathered by recruiters in three key legal ways. First, the candidate provides their data directly. Second, the recruiter pays to access candidate data stored by an online jobs board. Third, they obtain the information from LinkedIn.

Often, individuals complain that they’ve been contacted by recruitment teams for irrelevant roles, with the recruiter having got hold of their personal details unlawfully. This is impossible. Instead, this demonstrates that many candidates aren’t aware that in uploading their personal data to online job boards or LinkedIn, this information is made available to other businesses, either for free or at a cost. In reality, this is how recruitment agencies collect most of their candidate data. Many candidates believe that they are uploading their contact details and career history for a specific role, unaware that their CV will be hosted for a considerable time afterward.

Will recruiters no longer be able to contact me, post-GDPR?

Under GDPR, only certain types of data collection will change, and candidates may therefore still be contacted by recruitment teams that they haven’t spoken to before.

Recruitment agencies will still be permitted to store candidate data according to ‘legitimate interest’ – one of the six legal bases outlined in the GDPR regulation. In short, this legal clause states that organisations may process data where they, or the data owner, has a legitimate interest in this processing. Recruitment agencies use data to help candidates find their next role. Both parties therefore have a legitimate interest in the processing of data.

What will change is the nature of consent, which will affect contact with individuals who do not provide their information directly to recruiters.

Under GDPR, agencies may only communicate with candidates that have given their explicit consent to this type of contact (if contact cannot be justified by legitimate interest, as outlined above). This consent may or may not be given by candidates when they upload their CV to a jobs board or LinkedIn, according to the terms and conditions of the platform. This will, in turn, affect whether agents can contact candidates ‘out of the blue’ using information gathered from jobs boards.

Agencies who rely on consent marketing to build their data lists will have to change their methods post-GDPR, because consent from candidates can no longer be assumed. As it stands, candidates give their permission to be contacted by employers and recruiters about relevant roles when they upload details to most job boards. This is how the sites make their revenue: by allowing recruiters to access relevant candidate CV data, for a fee. 319,550 CVs were downloaded from CV Library on a single day in May 2018.

With LinkedIn the situation is slightly different. Users upload their career and contact information to the site, which is made public according to the legitimate interest of LinkedIn and the candidate themselves. Once a recruiter obtains information from the platform, however, it becomes their responsibility as data controller. The recruiter must therefore justify their processing of that data via legitimate interest or by obtaining consent from the candidate in question.

Time to review

GDPR is therefore the perfect opportunity to review where and how your CV is stored online. As a minimum, we’d encourage readers to read the privacy policies of any recruitment sites they’ve used previously. Meanwhile, get to know your recruitment agency better. Ask them where they accessed your data and how they plan to use it to find your next role.

If you’re uncomfortable with your agency’s answers, ask them to withdraw your details from their records, invoking your rights under GDPR. But remember: it’s in the interest of a quality recruitment consultant to work for you, not against you, to find the right role for you. Don’t let one bad experience put you off recruitment agencies for good – especially those who guarantee their performance under a Candidate Charter…