GDPR and Recruitment: The Candidate

The Candidate & GDPR

Data controller:      The Candidate

Data Subjects:        Candidates, suppliers, staff, clients.

Data Processor:     Our licensed CRM software and other external sources of PII who we have GDPR compliant                                     contracts with. (Contact us for more information.)

PII:                           Personally Identifiable Information

The Candidate takes data gathering, processing and use very seriously and we have been working to become GDPR complaint for some time. In addition, we have been registered with the ICO since our launch and have been following the developments with GDPR closely in order to become compliant ever since the issue arose.

Our primary objective is to maintain outstanding levels of service for our candidate and client base whilst providing a world-class recruitment service, all within GDPR requirements.

Policy & Procedure Objectives

The data that The Candidate gathers is gathered lawfully and for specific purposes only. To be GDPR compliant, from May 2018 we will always seek consent to store and process data in a clear and affirmative way with a timescale on storing data agreed at point of consent. For data gathered and stored from before May 2018, The Candidate will be using the basis of Legitimate Interest for holding these details. The Candidate will seek consent from data subjects for any future dealings, respecting the right to withdraw or removed from their databases at all times.  The Candidate will always have confirmation that we can hold their PII with an audit trail from May 2018.

We will provide the following information to the Data Subject during the consent process:

  • Identity and contact details of persons at The Candidate
  • The reasons that we hold the data and the sole purpose
  • That there are legitimate reasons for holding the data
  • Categories of personal data held
  • Who the recipients might be
  • If it is to be transferred outside the EU
  • Origin of the data
  • Period of time for the data to be stored
  • The logic of any automated processing
  • How to exercise your rights
  • The right to withdraw
  • The right to complain to the regulator

The candidate classes all internal notes and correspondence with candidates or to 3rd parties about correspondence as PII. We will make the PII and records and any notes accompanying the data available to those who the record involves. We will supply the source of where we gathered the data and request consent to use data within 30 days of gathering the data. Upon request, we will amend data if requested. We will also remove and permanently delete data from the consented databases as soon as possible at any time should it be requested.

The Candidate shall only work with Data Processors (companies who store the data on our behalf) who guarantee to support the rules of GDPR.

The Candidate is waiting on advice regarding the portability of data, should a data subject request all data and how this might have to be provided to another data controller.

In the event of a data breach, The Candidate will notify the regulator within 72hrs.

Audit of Data

The Candidate is continually auditing its data within the business and this is assisting in our drive to become fully GDPR compliant.

Storage of data

Data will only be stored on our online CRM system or where consent from an affirmative action has been given for data collected, processed or dealt with from 25th May 2018.

Existing Data

The Candidate acknowledges that the new requirements for consent will not necessarily cover all existing data held. Like most recruitment companies, we are potentially in possession of Data Subject PII with no action of consent. We will however be storing data on the basis of Legitimate Interest, as they will have interacted with The Candidate Ltd previously. In order to deliver our objective of becoming compliant, we will be requesting consent from all our Data Subjects from May 2018 onwards, including records held from before May 2018 in advance of using their data.

Training of staff on GDPR

The Candidate is holding training with its employees to ensure GDPR compliance.

In addition

  • The Candidate’s contracts with its staff cover confidentiality and the use of data have been extended to be GDPR compliant
  • The Candidate will continue to ensure that every leaver has access to all data revoked
  • The Candidate is creating a data retention policy
  • The Candidate will continue with its strict password policy
  • The Candidate will be conducting a Privacy Impact Assessment
  • The Candidate is part of focus groups and forums to understand the latest developments on GDPR and implement them accordingly
  • The Candidate continues to take legal advice on the implementation of GDPR

If you have any questions about The Candidate’s approach to GDPR, then please contact the Data Officer, Colin Telford, on [email protected]








Sign Up To Our Newsletter