Staying in touch with candidates and GDPR guidelines

21 February 2019

Staying in touch with candidates and GDPR guidelines

Speaking with candidates is one of the key parts of any recruiter’s day. And there are an ever increasing number of channels available for us: from text messages and WhatsApp, to LinkedIn and (for some) Facebook.

However, following the implementation of the GDPR last year, recruiters need to be aware of the pitfalls they face when they contact and engage with candidates – especially over WhatsApp, LinkedIn and Facebook. It’s very easy to cross the line drawn by the GDPR and the problem spans both data security and regulatory compliance; breaching either could lead to big fines.

Personal data should only be shared on secure, monitored platforms within an organisation – in ways that are clearly stated in their own privacy policy. Companies should have mapped and be in control of how personal information is received and processed, as well as know who has access to what, where the data is stored and, finally, who it is shared with.

If you are speaking to candidate “off grid” then this needs to be logged, recorded and monitored. This can be a very hard thing to do in practice.

A quick example:

  • You contact a candidate on LinkedIn
  • They want to arrange to speak. Great!
  • You then get their phone number
  • You text the candidate to arrange to talk and, during the call, they give you their email address
  • You then send them the job description and they return their CV

Right away, you have a lot of their personal information on different platforms: your phone, email and LinkedIn. This data might include a candidate’s phone number, email address, home address, date of birth, nationality, salary, and so on.

Yes, you may have added all of this to your ATS (which hopefully is GDPR-compliant) but what do you do with the personal information on your phone and LinkedIn after this point? When does it get removed? How do you remember it’s there? What happens if you move companies?

Ideally, of course, the consultant would be using a work phone for text messages, WhatsApp conversations, and phone calls (using personal phones is a whole different exercise in compliance…). But what policies do you have in place for an employee’s LinkedIn? It’s your responsibility to know what information you hold, when it was received, how it is stored, who has access to it, what the retention policy is, how it is processed, etc etc. Even just having a name and number in a phonebook needs to be known.

It can turn into a huge headache – maybe not immediately (there are plenty of companies who just put their head in the sand!), but if you receive a Subject Access Request, how do you map the information and be sure you have it all? How do you comply with your data protection policy? What happens if that mobile phone is lost? Or the LinkedIn profile is hacked?

It’s much easier to lay the foundations for compliance and have proper procedures from the start, than to play catch up at a later date and risk an investigation with the potential for huge fines.

GDPR – it’s not over. It’s here to stay.

Is your recruiter compliant? Maybe you should ask

The Route1 Team

Route1 is an award winning marketplace for legal talent. For any questions, please contact our Engagement Team or visit our Contact Us page for more information.


We have big ambitions to permanently change the way people hire and get hired, both in the legal and other white collar sectors, using GDPR compliant, content-rich, value-added recruitment techniques. We place transparency, charity, and candidate control at the heart of our model.

Route1 was founded in the UK in 2015 and is headquartered in London. Our founders and investors include experienced lawyers, digital entrepreneurs, recruitment consultants and HR professionals.

Route1 is an award winning marketplace for legal talent. For any questions, please contact our Engagement Team or visit our Contact Us page for more information.

More Insights

Is it getting harder to make Partner?

3 Qualities of Good Managing Partners

Should Associates Be Rewarded For Origination?

3 Legal Tech Trends for 2020

Our Partners