GDPR’s Impact on Recruitment: A Q&A with Lucy Kendall

Lucy Kendall

Practice Director, Cellence Plus

Lucy Kendall has worked globally in talent acquisition for over 17 years. She has operated at a senior level on organisational infrastructure, governance for growth, and GDPR readiness consulting.

In Part I of a three-part series, expert Lucy Kendall provides valuable context for the General Data Protection Regulation (GDPR) legislation, along with real-world advice for recruitment agencies in the throes of implementation. With enforcement a scant few months away, she provides guidance on what to expect and how to finalise your readiness plans. David Stott, Bullhorn’s Enterprise International Vice President, captures her insights.

Lucy will provide additional details on implementation, with a focus on lawful basis, marketing impact, and data retention, in a webinar on February 8th: register here. ComplyGDPR also offers a free readiness audit to help agencies benchmark their readiness.


David Stott: Lucy, now that we’re so close to GDPR implementation, a lot of people are wondering how we got here in the first place. Why is this legislation even necessary?

Lucy Kendall: Data protection legislation has actually been in place for several decades, during which the authorities tried to treat us all as adults. Basically, they said, “Here are some basic rules, can you please do what’s being asked of you?” But because lots of industries haven’t been doing what they should, they’ve decided we’re children who won’t do as we’re told and they’re getting much stricter. So, this very steep hill we’re climbing is actually a result of catching up to 25 years of legislation, which helps keep the changes in perspective.


DS: You’ve said that GDPR can actually be viewed as human rights legislation. Why do you say that?

LK: Yes, it’s not about protecting data, it’s about protecting people. Our personal data belongs to us and its value belongs to us, we’re just letting others borrow it. At the core of this legislation is who has control of our data. If others can trade it and move it around without our approval, that creates a power imbalance.


DS: How do you get that point across to people in our industry?

LK: There’s a great analogy that speaks to the rationale and the reality of the legislation. Think of it as a friend giving you a large sum of cash, let’s say ₤3,000, and asking you to take care of it. We would recognise they are entrusting something of value to us and immediately think about putting it somewhere safe. That’s the mindset for GDPR; we need to realize that data is valuable.

To carry the analogy further, you would need a security system—such as locked doors or an alarm system—to protect that money. And, you would need everyone in your house to know that valuables are being stored there and to understand the policies and procedures around protecting it, such as locking the door on your way out. Rather than blatantly leaving the money exposed, you would take appropriate care to protect it, just as an agency should provide training and awareness to build a culture of privacy.


DS: A big part of the concern we’re hearing is about the sanctions. What is your sense as to how concerned the industry should be?

LK: We’ve seen loads and loads of press about the sanctions, so they seem terrifying, but the point I’d make is, I’d be just as or more concerned about other areas that can cause genuine risk and disruption to your business. That might be related to things like subject access request or people going to town on social media, but there are lots of other things that can cause you issues beyond just sanctions imposed via the regulator.

The UK’s regulator, Elizabeth Denham, has really focused on positive behaviour. If you do nothing and something goes wrong, they won’t be forgiving. But if you take the topic seriously and show you care, that’s their main focus. Things will go wrong. You can’t control human behaviour, but you must do the necessary work and show your workings.


DS: How do you go about showing your workings?

LK: Document, document, document. Document anything and everything, such as meetings, decisions, anything that pushes you forward. If I had to choose two words to grasp around what GDPR is all about, they would be transparency and accountability. You have to evidence what you’re doing to comply and demonstrate that data protection has an ongoing place in your business and in your governance. Take a deep breath and get started.


DS: So what are the key individual rights we need to be focused on as an industry?

LK: The foundation of GDPR is a suite of rights based on an individual’s rights to exercise control over their own personal data. These rights are correlated with whichever lawful basis you choose to process data under, of which there are only six.

If you choose to process data under consent, that gives individuals the greatest amount of rights and powers. That invokes the right to withdraw consent, which means it must be just as easy to take it away as to give it, and the right to erasure, basically the right be deleted.

The big one for our industry is the right to transparency. We’re not that transparent; we have a tendency to collect and hoard data. Every individual whose personal data is processed has a right to be informed about what is held, why, and how it will be used.

With the right to access, people have a right to see what data you’re processing on them. Think about what’s in your database and whether you’d be happy to provide that to an individual. We’re talking about disgruntled candidates and employees, to whom you’d have to provide everything. In the UK, if someone in your business tampers with or changes anything in your system prior to a subject access request, there’s an appetite for criminal sanctions.


DS: What about the principles of GDPR? What’s critical to know?

LK: From the 25th of May, you need to be able to show how the principles of GDPR are embedded in your business, how you have a culture of privacy, and how you’re living up to them. I liken the principles to spinning plates. You’ve got to make sure you keep them all spinning all together, in line with your business’ risk appetite. One principle to pay attention to is a specified purpose, which means you can’t process data for a different purpose than what you originally collected it for.

If you collect an applicant’s data for a specific job and they don’t get it, so you add them to your database and start mailshotting them about new jobs, that’s a breach of GDPR. Think about it in your individual life. You go to a shop and they ask for your email to send a receipt, and then the next thing you know you’re getting bombarded with their latest catalogues. As a recruitment business, we have to be clear about what we’re using that data for.

The principle of adequate-relevant-limited data is another we need to think about. It means we only process what we need. In recruitment, we tend to process everything humanly possible we might need in the future. We need to ask whether we really need all that information.


DS: Why do agencies also need to be sure their data is accurate and up to date?

LK: The principle of accuracy is a real problem for our industry. If we don’t keep data up to date and accurate, there’s a risk of discrimination. Let’s say you have a CV of a graduate, but then you don’t speak to them for five years. Now, if you’re searching that person during a new search, if it’s not accurate, they might be missing out on an opportunity. We have a duty to keep things up to date, and we also shouldn’t keep data ‘longer than necessary’—which isn’t that clear, obviously—but we have to be upfront about how long we are retaining data.


DS: Can you summarise what the GDPR actually requires our businesses to do?

LK: There are three tangible requirements:

  1. Start with an audit. Your job is to understand where are you today, what data are you currently processing, who do you share it with, and how secure is it. You’ve got to draw your line in the sand and decide what risks you’re exposing clients, candidates, and employees to right now.
  2. Then, you’ve got to mitigate and put policies and processes and training in place to prove that everyone knows the goals. Check in with your suppliers and review contracts to make sure they’re living up to their side of the bargain.
  3. Finally, as we’ve discussed, document everything.


The reality is that when you start with the audit at step one, you’ll probably find holes in your data privacy bucket. You’re not alone. We’ve created a free readiness audit, and the point is to help you understand where you need to be and make the journey as painless as possible.