• 4 min. read

GDPR and the consequences it will have on your recruitment strategy

Since this regulation is considered to be the most important change over the last 20 years, all companies, no matter the size or industry, are preparing for this event.

Written by Daniela Costa

This is the second part of our series of articles on the new GDPR guidelines that will come into effect on May 25th 2018.

106 days, 10 hours and 29 minutes. This is time that is displayed on the European GDPR website: the exact time until the enforcement of the General Data Protection Regulation, better known as GDPR. Since this regulation is considered to be the most important change in data protection of the past 20 years, all companies, no matter the size or industry, are preparing for this event. One of our last articles already explained the general implications of GDPR. However, we’re not clued up about how it’s put in practice and the challenges it will bring for the HR departments.

Let’s first wrap up the two goals that the GDPR aims to accomplish. Firstly, it will uniform legislation throughout the European Union and secondly, its goal is to increase protection of personal data that is gathered from an identifiable natural person. The GDPR will be applicable as of May 25th 2018 and will have serious consequences for the recruitment industry. The most important aspects are explained below.

Personal Data

Recruiters manage a lot of data: personal information as well as data of candidates and freelancers. Let’s start by explaining the term “personal data”. In legal terms, personal data is defined as: “Any information relating to an identified or identifiable natural person”. More concrete will GDPR regulate all personal data that candidates upload when applying for a specific position: the CV, cover letter, contact information, notes of a personal interview, e-mails, etc. All this data, and how it’s processed, will be subject to GDPR regulations. So it’ll be a big shake up for HR departments. But what exactly do you have to do to ensure compliance?

Specific actions

If candidates apply for a position in your company, you will process this data for the follow-up of the application process. You’ll still be able to store and use this data after May 2018, but there are a few actions you’ll have to undertake from now on. More specifically, the following aspects have to be taken into account:

  1. Candidates need to know why you are asking for their information: be clear about the purpose and publish a ‘candidate terms of use’. This document should include the terms and conditions about how your company processes data of candidates. For example: how do you store information, how long will it be stored, reasons for storing data, candidate rights, … Transparency is KEY!

  2. The data cannot be stored for an unlimited time period. Very inconvenient for companies that create their own ‘talent pool’ for future positions. What can you do about it? Well, first of all, after a certain period of time, you should explicitly ask candidates again about their consent to keep the data. This can be done by e-mail for example. If you get a negative answer or you don’t get any answer at all, you are obliged to delete all information about that candidate and his or her application.

  3. Who are the external stakeholders you work with to search for the best employers? These can be recruitment agencies, providers, consultants, .. Communicate with them about how they are preparing for the GDPR and ask how they plan to approach GDPR and data processing.

  4. Document how you process the data and clearly describe how information is stored and used during your recruitment process. Map out the ways candidate can apply, make sure it is clear how you ask the candidates for their consent and specifically describe how long you’ll store the data.


Who will be responsible for a Data Breach? If your business is hit by a data breach, meaning the unintentional release of private or confidential information to an individual that is unauthorized to access this information, it should be reported to the supervisory authority within 72 hours after the awareness of it. The only exception will be if the breach is unlikely to result in a risk to the rights and freedoms of natural persons. But this again is really vague, so you better be prepared. This notification should contain the following points: The nature of the breach, the name and contact details of the DPO and describe the consequences and measures taken.


Violating the conditions of GDPR can induce serious penalties. More specific: a company at breach can be fined up to 4% of total turnover or €20 million, depending on which amount is larger. Controls will be performed because of an internal complaint or on own initiative. The investigators will first give a warning, then they’ll impose a fine.

As you see, a dramatic shift is needed in terms of engaging with candidates and the way you’ll process data in HR. Despite the many challenges GDPR brings for HR teams, it will also help your company to strengthen brand image and CSR. If you are in line with the regulations, respect is gained for how you process personal data and for how you respect the privacy of the people you work with.

Have a look at our other articles about GDPR: GDPR: 8 Key Changes on Data Protection


Skeeled offers you the perfect opportunity to bring innovation and digitalisation to your hiring. Check our website or our LinkedIn and Facebook pages for further information.

Thanks for reading and see you next time!

Your team here at skeeled

Subscribe to get the latest insights on recruitment and talent acquisition delivered right to your inbox.