GDPR, and taking back control from recruiting agencies.

Happy May 25th 2018! If you're not sure what this day marks, then it's the date that General Data Protection Regulation (GDPR) becomes enforcable in the EU. What better way to celebrate than taking back control of your data from one of the great modern nuisances - recruiting agents?

Say Hello to GDPR.

There's a good chance that you're aware of the incoming data protection regulations - also known as "GDPR". If you work in Tech then it may have had you banging your head against the wall at times, whilst if you work in any industry where you regularly handle people's data (i.e any industry) then you've probably been briefed about it already.

One of the more promising provisions - at least from a consumer point of view - is the right to erasure.

Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.

Although the caveat of "only applies in certain circumstances" sounds quite concerning, it shouldn't be - and it actually opens up more than one avenue for requesting recruitment agencies remove your data.

(1) I don't need you to consider me for any subsequent opportunities

This is an easy one, and most likely the best option.

  • the personal data is no longer necessary for the purpose which you originally collected or processed it for;

The sole purpose of the recruiting agent being in possession of your data is to help introduce you to new job opportunities; therefore if you're not looking for new job opportunities, it's no longer necessary for them to retain your data.

(2) I withdraw my consent, and I no longer want you to process my data.

GDPR defines the concept of a "lawful basis" for storing and processing an individuals data; and defines six bases. Out of those six bases, there are two which will most likely be relevant to recruitment agencies - "consent", and "legitimate interests".

Fortunately, both of these bases provide ways for you to utilise the "right to erasure":

  • you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
  • you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;

But what if I've used an aggregator - i.e Monster - that has provided my CV to other third parties?

Then arguably - as per the ICO guidance - there's an obligation on behalf of the intermediary to inform third parties that you've requested deletion of your data.

The GDPR specifies two circumstances where you should tell other organisations about the erasure of personal data:

  • the personal data has been disclosed to others; or
  • the personal data has been made public in an online environment (for example on social networks, forums or websites).

How this will be implemented - specifically with regards to pre-GDPR systems which are understandably more lax with the handling of personal data - remains to be seen. From a purely tech point of view, I'd be surprised if the likes of Monster are able to ascertain who they provided my data to 4 years ago.

With this in mind, I wouldn't be surprised if you still needed to contact third parties directly to request your data is removed.

Ultimately, only time will tell how effective this strategy will be. With the financial penalties available to the authorities when enforcing the regulations, proper enforcement - and subsequently compliance - could very well change the landscape with regards to how our data is stored and used.

I'm personally very optimistic about GDPR, but one of the most immediate perks I can see is


Contract Software Developer and DevOps Consultant, based out of London in England. Interests include information security, current affairs, and photography.