+44 (0) 1634 202 101

GDPR Checklist for internal recruiters

Published by shaddow on

The new General Protection Regulation (GDPR) came into force during May 2018. It’s time to make sure you’re compliant with this handy GDPR checklist for recruiters.

GDPR obliges organisations to manage personal information more securely and acquire individual consents to store and process that data. It covers electronic data and manual filing systems, so that’s pretty much any information that can be used to personally identify someone.

Internal recruiters handle a lot of personal data, from CVs and application forms to proof of address, conviction information and much more.  Our GDPR checklist for internal recruiters should help you to determine how ready you are.

After conducting research, organisations like Trustarc found that approximately 1 in 4 companies haven’t yet started their GDPR implementation.

GDPR applies to you if your organisation:

  • operates within the EU.
  • operates outside the EU offering goods or services to individuals in the EU.

The fines for GDPR breaches are staggeringly high so getting it wrong could be a very expensive mistake. The maximum fine for non-compliance could be €20 million or 4% of your global turnover!

There’s no exemption for small companies and Brexit won’t change a thing, so let’s get straight into GDPR checklist for internal recruiters. It’s not exhaustive nor is it a project plan, but you may find some points that you haven’t considered so far.

GDPR Checklist

We present the following GDPR Checklist for internal recruiters in easy sections. To gain more detailed information about your GDPR obligations, go to the Information Commissioner’s Office and check out the Guide to General Data Protection Regulation

GDPR Basics


Know who your Data Protection Officer (DPO) is. Your DPO will know how the procedures for data beaches and can be a great point of reference for GDPR. It is always advisable to have a DPO, but you must have one if your organisation:

  • is a public authority
  • performs large scale monitoring of individuals such as online behaviour tracking
  • carries out large scale processing of special data categories including criminal convictions.

If you share Personal Information with other organisations, seek written confirmation of GDPR compliance. For example, you may work within a franchise, an Academy Trust or other group of organisations using shared central services. Do not share personal information with another organisation unless you have written confirmation of their GDPR compliance and Consent from the individual concerned. See below for details regarding Consent.

Data Retention Periods

Set data retention limits for each type of information. As good way to start is by creating categories of information based upon sensitivity. For instance, criminal conviction information is very sensitive whilst some photographic evidence of a building project is less so. Retain increasingly sensitive information for decreasing periods.


Update your organisation’s Data Protection Procedures (DPP) to take account of GDPR.

GDPR Consent and data acquisition
  • Consent
    From now on, demand electronic or written consent before you accept personal information. This is a very specific point in the GDPR regulation. The terms of consent should be very clear, particularly if you hold data for children. Terms should state what information you will hold, for what purpose and shared with whom. The method of consent should be explicit and granular and should not default to consent without action. So, pre-ticked consent boxes are not allowed under GDPR.
  • Inform
    For those who haven’t provided you with consent, inform them that you hold their personal data. State the reason for keeping it and seek consent before 25th May 2018. You may not be able to confidently use personal information that has been collected without consent.
  • Withdrawal
    Create a process that allows people to withdraw their consent at any time. This prevents you from continuing to process their personal information against that point of consent. For example, candidates may withdraw their consent to receive job alerts. In that case you may not alert them to new vacancies.
  • Company Handbook
    Control the future acquisition of personal information by your organisation. For instance , you should update sections of your Company Handbook to deny all but HR and internal recruiters the authority to receive CVs from third parties.
Access and Rectification
  • Right to be informed
    Individuals have the right to know that you have their data. They also have the right to access it and to rectify their personal information. Complete a data audit so that you can determine where you are storing personal information and for whom.
  • Subject Access Request (SAR)
    A GDPR best practice recommendation is for organisations to provide secure, self-service access to one’s personal information (Recital 63). If you don’t support this, establish a procedure so that you can validate an individual’s identity and respond to their request. Processing should be free of charge in most cases.
  • Corrections
    Create a procedure to respond to correction requests. Responding to such requests should be non chargeable in most cases. If you offer secure, self-service access to one’s personal information, self-correction should also be supported.
  • Right to be forgotten
    Create a process to manage individual deletion requests because the right to be forgotten is a mandatory GDPR requirement. It is particularly important when the lawful basis for processing personal information is based solely upon consent. Refer to your data audit to check whether you hold personal information on spreadsheets, paper, email, a CRM system etc. If you offer secure, self-service access to one’s personal information, you should consider offering an option to delete one’s personal information.
GDPR Security
  • Security
    Data security is fundamental to GDPR, so being able to evidence secure systems and processes is critical. Email is insecure and you can read Geoff Duncan’s blog to find out why https://www.digitaltrends.com/computing/can-email-ever-be-secure/. If you can’t easily secure, control and manage email in line with a GDPR policy, avoid using it to store personal information. If in doubt, our advice is to delete every email containing personal information such as a CV. That in itself could be difficult to manage across any number of employees.
GDPR Terms
  • Terms
    Make available the terms agreed with any individual under which you are storing and using their personal information. You can make those terms available in a secure, self-service system.

What now?

Our GDPR Checklist for Internal Recruiters suggests that you start with a data audit then work through the other points. Once you know where personal data is, bring your employees up to speed with their obligations. You may have a lot to teach people if you find evidence of any of the following:

  • Distributing personal details on paper.
  • Emailing personal information between staff.
  • Sharing personal information with friends in other companies or with friendly recruiters.
  • Allowing paper copies of personal information to travel home with employees.

Also, control your offline or paper copies of personal information. You should work to avoid situations such as employees leaving branded application forms on public transport, or disposing of CVs in household waste.

Get a GDPR compliant Applicant Tracking System

Ensure your future GDPR compliance by implementing an Applicant Tracking System that acquires candidate consent for you. CVMinder ATS has been acquiring candidate consent since it first launched. It also offers secure, self-service to personal information, supporting review and modification.

Among others, Schools and Care companies use CVMinder ATS because it helps them to manage employment checks and other points of recruitment compliance.

CVMinder ATS is the easiest Applicant Tracking System available. It’s simple to use, quick to deliver and easy to learn. Capterra, part of the Gartner Group, has awarded CVMinder ATS best value Applicant Tracking System 2017 and best support 2017.

Don’t delay. If you want to ensure that your recruitment in your organisation is GDPR compliant, please contact us now for more information or to set up a personal demonstration.

GDPR Checklist footnote

GDPR represents a significant change to the way in which organisations manage and process personal information. It’s great news for individuals and will help to tackle poor practice in the recruitment industry.

This GDPR Checklist for internal recruiters is to help you to think about the tasks ahead and structure your approach. GDPR is a live concern and some of the detail is subject to alteration. However, the main GDPR requirements are clear, so don’t wait for future amendments before getting started.


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *