J&C Associates > Blog > Recruiting & Recruitment Industry

GDPR - Wrong? Update to Previous Blog


We previously wrote an article about GDPR and I think it’s important to hold your hands up when you get something wrong or the facts have been exaggerated. 

I was sucked in by all the harbingers of doom, the consultants and legal teams peddling their expertise and demanding we spend £000s to become more compliant, more consent-driven while changing every process known to man, woman or child.

It is true that you should sweat about GDPR (we did... a lot) and it is absolutely true that all companies should respect people’s data and not abuse it and certainly not sell it. And we never have and never will!

And it is also true that it would be great if we could shut down those spammers once and for all and that if you gave your details to a company that they would never, ever share them with anyone else. So, let’s hope GDPR ushers in a lot of change.

GDPR is all about giving back the power to the data subject and while we all have opinions on whether or not GDPR has gone too far or has actually been detrimental, particularly to some SMEs that don’t have the staff or legal teams of their own, overall it is a good thing.

Update to Previous Blog:

  • Fines can be €20 million or 4% or annual global turnover – whichever is higher. So, all companies, particularly the legal, law-abiding ones had better sit up and take notice. This is true!
  • However, the ICO is not out to get you, to fine you…they are here to support first and foremost and only fine if you refuse to change, if you refuse to work with them and refuse to follow the guidelines. 
  • I spoke numerous times to the ICO and found them to be nothing but friendly, helpful and informative. The ICO is looking to drive knowledge into the community and not to wield the axe unless they have to.
  • It is also true that employees can demand to see what personal data you hold on them. 
  • However, they cannot demand that you delete it because you need their personal details in order to contact them, in order to pay them... the common-sense stuff and what falls under legitimate interest!
  • It is also true that the recruitment industry will be hugely impacted and there are endless tales of recruitment companies deleting their databases for no apparent reason. 
  • We also took a long hard look at our database and we have deleted over 60,000 records. Because the truth is that a database of 100 or 10,000,000 people is meaningless if it is not up-to-date. So GDPR is a useful exercise for companies that want to understand their data, or in our terms, their candidates. 
  • It is also true that GDPR demands that you either get consent or demonstrate a legitimate interest for holding data. 
  • And believe it or not, recruitment does NOT have to be a purely consent based industry and in fact, as written on the ICO’s website it can be based on legitimate interest. 
  • However, it is also true that a legal eagle who specialises in recruitment stated that legitimate interest can only be proven in certain circumstances and consent must be given in others.
  • It is also true that everyone must be informed (the right to be informed) that you hold their details (data) and for us we have undertaken the task of emailing everyone to tell them that we are holding their data (CV and phone number/email address in the main) and given them the opportunity to be deleted.
  • It is also true that you should tell people how long you will hold their data for and it is also true that it is up to you to determine how long you hold it for. The key is that you have to be able to justify this if asked! I was really angered by this at first; why can’t you just be given a clear guideline?

Now it all makes more sense to me. GDPR is a combination of must do stuff but it is also guidance for best practice. It is partly laying down the law and it is partly just telling you to make absolutely sure that you respect other people’s information, never abuse it and never sell it.

I am not sure we have done everything perfectly – I am not sure that you won’t find a gap somewhere if you try. However, I am absolutely convinced that we have done our absolute best and I am absolutely sure that we have never sold data, never mistreated data, never held data without a legitimate interest and never shared data without consent to do so.

The GDPR sweat will retreat in the coming months and I have no doubt we will deal with some complaints but I am glad GDPR has happened and I hope that everyone can rest assured that for the vast majority of companies, GDPR has, in the main, been a good thing.

The most interesting and relevant information to our industry can be found on these links and excerpt…

GDPR introduction: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Consent is not the ‘silver bullet’ for GDPR compliance : written by Elizabeth Denham, Information Commissioner 

Guidance for recruitment companies : an excerpt from this article on the ICO’s website is copied below as it gives specific guidance to recruitment companies 


An individual uploads their CV to a jobs board website. A recruitment agency accesses the CV and thinks that the individual may have the skills that two of its clients are looking for and wants to pass the CV to those companies.

It is likely in this situation that the lawful basis for processing for the recruitment agency and their clients is legitimate interests.

The individual has made their CV available on a job board website for the express reason of employers being able to access this data. They have not given specific consent for identified data controllers, but they would clearly expect that recruitment agencies would access the CV and share with it their clients, indeed, this is likely to be the individual's intention. As such, the legitimate interest of the recruitment agencies and their clients to fill vacancies would not be overridden by any interests or rights of the individual. In fact, those legitimate interests are likely to align with the interests of the individual in circulating their CV in order to find a job.


An individual creates a profile on a social networking website designed specifically for professional networking. There is a specific option to select a function to let recruiters know that the individual is open to job opportunities.

If the individual chooses to select that option, they would clearly expect those who view their profile might use their contact details for recruitment purposes and legitimate interests may be available (subject to compliance with other legal requirements, and PECR in particular). However, if they choose not to select that option, there is no such expectation, and their interests in maintaining control over their data overrides any legitimate interests of a recruitment agency or recruiting organisation.

Although reasonable expectations is an important factor, it does not automatically determine the outcome. Simply having warned the individual in advance that their data will be processed in a certain way does not necessarily mean that your legitimate interests always prevail, irrespective of harm. And in some cases you may still be able to justify unexpected processing if you have a compelling reason for it.

Live. Love. Enjoy GDPR

More like this? Recruiting & Recruitment Industry (9)

Or just browse: previous | next