The GDPR deadline looms large, but many recruitment organizations are far from ready. The new directive brings about numerous changes and all organizations handling personal data of EU citizens have no choice but become compliant or face severe financial consequences. In this article, I look at the ways the new regulation affects recruitment and present some of the key 2018 GDPR data you must know in a handy infographic.

How the GDPR affects recruitment

The General Data Protection Regulation (Regulation (EU) 2016/679) comes into force on May 25, 2018. It was designed to give individuals more control over their personal data, as well as simplify the data protection environment. As stated in the European Parliament press release, personal data now denotes any information which is related to private, professional or public life. It includes names and surnames, photos, email addresses, bank details, social media posts, medical information, IP addresses, and so forth.

Based on the new regulation, candidates (referred to as “data subjects”) are now granted more rights, including the right to have their information erased (the right to be forgotten) from all systems, having inaccuracies corrected or being able to withdraw consent at any time. The directive puts the responsibility to comply with candidates’ requests on the entity storing or processing their personal data, and those who don’t treat it seriously could face high fines.

There are a number of things you have to do to ensure compliance with the GDPR as a recruitment organization:

Collecting, processing, and storing data:

  • Map your collection and storing mechanisms and question whether you need it and how you obtained it. Review all places where you store data including emails, spreadsheets, ATS, internal databases
  • Ensure all data is obtained by explicit consent, with no default consent and pre-ticked boxes used anywhere in your recruitment process make sure you’re not hoarding data because you must be able to justify why you’re storing it. This is especially important in the context of sourcing because you need to have a legitimate interest in a passive candidate before storing their personal data
  • Review your current candidate rejection procedure. You must delete personal data of candidates you won’t be considering for other positions in your organization. It’s possible to keep processing data of candidates who were not selected for a particular position but are considered for another role, but they need to be informed and given a chance to opt out
  • Introduce the right methods to accommodate candidates’ requests, such as the right to be forgotten. This means you need to be able to delete a candidate’s data from all systems where you store it within one month

Contacting candidates:

  • Contact individuals only through channels they have opted in to
  • NEVER contact unsubscribers regardless of why you want to do it
  • Make sure to alert all your employees of the GDPR impact so they never call or email candidates when they shouldn’t


  • Review and update your current policies to make sure they are consistent with the changes you’ve introduced to prepare for the GDPR. All policies must be transparent and use clear and concise language
  • Make sure you have copies or links to your policies available to your candidates

Third party services:

  • Look at job boards, your suppliers (including software suppliers) and other parties involved in your recruitment process and look for potential non-compliance issues

Security measures:

  • Take all measures to avoid misuse and exploitation of personal data, which means you need to introduce a sufficient level of security and be able to maintain it over time
  • Report all breaches within 72 hours from the incident
  • Keep records of everything you do to comply with the GDPR
  • Consider appointing someone responsible for data protection (depending on what kind of data you collect, store or process)

The GDPR penalties

Penalties for non-compliance are severe and reach up to 4% of the global annual turnover of the organization. Depending on the gravity of non-compliance, you may be forced to pay:

  • 10,000,000 EUR or 2% of the global annual turnover in the case of organizational or technical non-compliance
  • 20,000,000 EUR or 4% of the global annual turnover in the case of serious breaches related to core principles of the GDPR

Interestingly, the GDPR applies to data controllers, processors, and subjects based in the EU. Additionally, unlike the current directive, it also applies to organizations outside the EU who process personal data of EU residents.

GDPR infographic: key facts

To help you get ready for the GDPR, at Devskiller, we’ve created a GDPR infographic presenting vital GDPR facts:

GDPR Get Ready

Are you prepared for the GDPR?

Because it relies so heavily on personal data, HR is one of the main industries to be affected by the new directive. The new law goes into effect on May 25th, 2018, and if you want to be ready, you have to start auditing your recruitment process and making the changes necessary to comply now or face severe penalties.



Co-founder & Marketing Guardian at Devskiller, the powerful tool to assess developers’ skills. Kate is a technical hiring expert and co-author of a book IT recruitment process that works: Proven strategies, industry benchmarks and expert intel to supercharge your tech hiring. She is passionate about HR tech, strategic planning, and change management. You can follow her on Linkedin to keep up-to-date with the latest trends in tech recruitment.