Recruitment and modern data protection

GDPR and discrimination

In this HR article, we provide some guidance to help make recruitment practices safer and to improve legal compliance.

Questions around how employment law affects recruitment and selection, are common.  There are a few key areas to be mindful of.  The main ones are contract law, employment law, data protection and discrimination. The latter two have a greater impact on the recruitment process itself, and these will be the focus of this HR Hot Topic.

Legislation relating to discrimination, or rather equality, should inform all safe recruitment practices. The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018), both put a fresh angle on data protection law and require tighter controls on things relating to recruitment, such as the need for secure processes, privacy notices and more.

Recruitment and modern data protection

Organisations must ensure that the entire process of recruiting a candidate, from end to end, is compliant with the GDPR and DPA 2018. This begins from the point at which personal data belonging to a candidate is collected, through to how this is removed from your business entirely.

The basics of the GDPR requires organisations to:

  • Ensure they have a legal basis (one of the six statutory reasons) to be processing data in the first place.
  • Ensure that the data is processed in compliance with the six principles.
  • Ensure their internal processes are private by design and by default.

There are of course many other obligations to be adhered to. The most applicable to an employer in the context of recruitment are:

  • The requirement to provide privacy information
  • The requirement to keep records of processing activities

Common areas that crop up in recruitment, which are particularly impacted by modern data laws, include:

  • References
  • Health and criminal records
  • Equal opportunities monitoring

Each of the key areas highlighted are discussed below.

Legal bases

There are six potential lawful bases (consent, contractual requirement, legal obligation, vital interests, public interest and legitimate interest). Employers must know in advance which one of these they are relying upon in order to obtain and use personal data during a recruitment process.

Most employers will rely upon ‘legitimate interest’.

This is the most generic of the six legal bases. As it is generic, the specific interest must be known too. In this case, it is most likely to be ‘A legitimate interest to fill a genuine vacancy which exists in the business.’

Warning: Avoid ‘consent’. Where it may be possible to rely on consent at the recruitment stage, we would advise against doing so. Consent is not what it used to be. Carefully worded information must be provided to each individual and specific measures must be in place to operate consent properly (such as the capability to remove and destroy all traces of personal data promptly, should an individual withdraw their consent). Furthermore, once employed, consent may not be relied upon at all, due to the imbalance of power between employer and employee. This means that once you appoint a candidate, you may not rely on consent anyway.


A recruitment process must be reviewed and adapted where necessary, to ensure that the six principles of the GDPR are met.

  • The principles of the GDPR all seek to achieve one thing, accountability. They can be summarised as follows:
  • Lawfulness, fairness and transparency – in relation to the data subject
  • Purpose limitation – personal data is collected for a specified, explicit and legitimate reason
  • Data minimisation – only personal data which is necessary and relevant to the purpose is collected
  • Accuracy – every reasonable step should be taken to ensure that this data is kept up to date (with regards to the purpose)
  • Storage limitation – personal data must only be kept in a form which identifies an individual for as long as is necessary to achieve the purpose
  • Security (integrity and confidentiality) – appropriate (and state of the art) measures must be implemented to ensure personal data is kept safely and is not compromised


To meet the first principle, an organisation must be satisfied that they know what their legal basis is and that they have complied generally with the law. Consider contacting the Information Commissioner’s Office (ICO) on their free helpline, for reassurance on whether your process and measures are likely to be lawful.

Consideration must also be given as to whether the use of the personal data collected would be thought of as ‘fair’ by the everyday person, and whether the processing and use of the data is transparent to the candidates. The latter is most likely to be achieved through a privacy notice.

Further Guidance

For further guidance on minimising risk and ensuring safer recruitment login to our HR Knowledge Base or contact us to find out about signing up to this must have go-to resource that’s used by thousands of business managers and HR professionals across the UK.





Got questions? Looking for advice?


Explore our comprehensive library of related resources to gain valuable insights, expert tips, and helpful tools for optimising your HR practices.


Receive all the latest industry insights, expert tips and exciting updates from HR Solutions, straight to your inbox.

Strategic HR thinking whitepaper

Our latest HR whitepaper offers an in-depth analysis and strategic framework aimed at transforming Human Resources into a pivotal element of business success in the rapidly evolving corporate environment of 2024.


Register your details below and we will contact you regarding how HR Solutions can support your organisation.


We’re here to assist you with any questions or enquiries you might have. Simply fill out the form below, and our dedicated team will get back to you.


We’re here to assist you with any questions or enquiries you might have. Simply fill out the form below, and our dedicated team will get back to you.


Please complete the form and one of our team will call you back to discuss your query/booking.

Request your free trial

Register your details below and we will contact you about your 30 day free trial of the HR Knowledge Base.


Register your details below and we will contact you about access to the HR Knowledge Base.  As part of your approved industry membership organisation you can get access to the HR Knowledge Base, created by Business HR Solutions, which is the go-to resource for thousands of business owners and managers across the UK.


Our latest 2023/24 SME Business Survey sheds light on the intricate dynamics shaping the SME sector and unveils critical insights that can guide businesses toward sustainable success.


HR Solutions are here to help. We offer a standard hourly rate package for ad hoc HR advice which means you can pay for what you need, whenever you need it, and then quickly get advice. Our highly experienced advisors are on hand to provide you with practical employment advice to help you manage your workforce.  You can purchase HR Advice Line time now, and the time purchased will be valid for 12 months.