The GDPR and HR Recruitment Software – Time for a Rethink

10 March 2018

The start of 2018 has seen a number of webinars from software providers of cloud based solutions targeted at the recruitment industry. Hireserve and Bullhorn, for example, partnering with law firms Osborne Clarke and CMS, respectively, have provided guidance on what GDPR will mean for recruitment agents. This is timely, because recruitment agents have been slow to appreciate the impact the GDPR will have on their business model and use of legacy databases. Not surprisingly, the primary purpose of these teach-ins is to prime customers for upgraded recruitment software solutions that seek to enable them to manage personal data in a GDPR compliant manner. The next target for GDPR teach-ins and webinars from recruitment software providers are the employers, with respect to their applicant tracking systems or “ATSs”.  While the GDPR seems an opportune sales opportunity for these providers to sell more services through their SaaS business model, we wonder whether the GDPR should in fact represent a moment of pause for law and other professional services firms to consider whether an ATS is really necessary at all anymore. Maybe the time has come to think more expansively about talent management software now that candidate data is going to need to be much more sensitively handled.

ATSs originally came into being to help law firms avoid conflicts between competing recruiters over the commission for successful candidate placements. Essentially, ATSs tagged each candidate to a recruiter in order to avoid these conflicts, including basic scheduling and process software to run the interview and offer process. But with the GDPR challenging the most basic assumptions in traditional recruitment processes, and causing significant contagion risk to its clients in the event of recruiter non- compliance, we seriously doubt whether the ATS can – or should – survive in its current form.  If a law firm is accepting candidate data into an ATS via a recruitment agent, it will be necessary for that firm to ensure that such data has been collected and managed in a GDPR compliant manner. Many agents still openly acknowledge that they have chosen to ignore the challenges and costs of GDPR compliance until enforcement action is taken. So what happens when a law firm receives data relating to a candidate who has not given their consent for this (in what the recruitment industry calls “spray and pray”)? If the candidate is successful, a “no harm no foul” argument is probably tenable. But what happens if that hire subsequently goes sour? Or the candidate is unsuccessful? Why run the risk of engaging recruiters unless your terms ensure you are protected from their GDPR compliance failures? With Route1 you don’t have to worry about any of this.


Route1 is a digital marketplace that algorithmically matches a growing database of 8500 candidates with over 200 employers. Passive and active candidates can then anonymously match with and apply for jobs directly with the employer. In developing Route1 we had one eye on the GDPR, and because our business model puts the candidate in control, we are now leading industry compliance ahead of the huge recruitment market changes that the GDPR is about to bring. Agents normally flourish where buyers and sellers operate in inefficient and opaque markets, and the transparency the GDPR requires – at least for candidate data – will present a significant challenge to their business model. Route1 is not an agency, it is a marketplace, and our platform is built to be, in the GDPR’s terms, “compliant by design”. This is because we put the candidate firmly in control of what happens to their data throughout the hiring process.

Our business model therefore avoids all the GDPR issues faced by traditional recruiters, and mitigates any risk to employers, because there is no agent between the employer and the candidate that holds candidate data, or who must initiate contact with the candidate. Once a Route1 candidate sets their filters based on seniority, specialty and location, our platform algorithmically matches them directly with relevant jobs, and they then control the process at every step. A law firm will never be exposed to GDPR compliance risk in its talent supply chain when sourcing talent from Route1, as the candidate always gives its consent to any action involving its personal data.


Traditional agency and search recruiters in the post GDPR world face a number of significant challenges to their business model, both in their sourcing and management of candidate data, and their execution of candidate/employer introduction:

Candidate Sourcing

From May, when a recruiter sources a candidate, it must ensure personal data was obtained relating to it in a context where that candidate has provided reasonable evidence of expecting to be contacted. This “legitimate interest” test requires a recruiter to establish and be able to demonstrate sufficient interest on the part of a candidate in order to support his or her solicitation. Having a profile on LinkedIn is not, as some recruiters would like to believe, enough to establish “legitimate interest” for a hiring approach. It might be enough if the candidate has elected to designate that he or she is looking for a role on LinkedIn, but how many lawyers use this method of opening themselves up to cold calls?

When registering for Route1, our candidates demonstrate their desire to source matches with all relevant jobs in their sector that we post on the platform. Sourcing for Route1 is inherently compliant as the candidate always takes the active step of signing up to the platform and setting his or her filters.

Storing candidate data

If candidate data has been obtained legitimately, under the GDPR recruiters must now have a proper system to record consents for the basis of processing it and ensuring use of it is consistent with such consent.  They must also follow GDPR rules on data minimization, right to erasure, and monitoring consent.

At Route1, consent to store data is given directly by the candidate, and we do not add anything to a Route1 candidate profile. Route1 candidates are always in control of their data, including the ability to amend or erase it; and candidates are only asked for additional information at point of application for a job.

Contacting candidates for opt-in

Prior to the implementation of the GDPR in May, recruiters will have to contact every candidate on their existing databases to ensure opt-in consent is taken and avoid unsolicited or illegal communication with them.  In marketing parlance this will need to be a “double opt-in”. To quote the marketing manual: “as long as you provide value, your list will not mind reaffirming their consent with you”. Candidates should therefore shortly expect prize draws for hampers or vouchers for their re-affirmation and consent. And they should expect multiple offers too – because multiple recruiters cover the same candidates.  If they’re cynical they should shop around, if they’re inquisitive, from May they can request a subject access request to data held on them by a recruiter for free, but if they’re smart they will have already signed up to Route1.

Route1 does not need to contact candidates for opt in because our terms and business model place “evergreen” data control with candidates. A Route1 candidate will only ever be contacted about an opportunity for which they have actively put themselves forward. They will, in effect, never have to take another cold call. And for the data regulator, explicit consent by a candidate – i.e. clear affirmative action by a data subject – will always outweigh tenuous legitimate interest arguments by an intermediary.

Keeping candidate’s data relevant

After May, recruiters will need to ensure data that they keep on a candidate continues to be relevant, and is kept only for the minimal amount required for processing. In short, this means that they need to actively keep a CV up to date and remove information that is old. How long this can be kept is unclear, with some advisers suggesting six months, some a year.  What is likely though, is that recruiters will use this requirement as good reason to contact their candidate pool every six months, to “check in”, ask candidates to validate their data and to provide refreshed consent. Effectively they will also be seeking to refresh “legitimate interest”. However, moving to an actively managed database will be a significant challenge to recruiters, who up until now have had no incentive to manage and remove reams of old and inaccurate data in passive databases. This challenge has been so great for some customer focused UK businesses that they have simply dumped all their data rather than have to make value judgments and seek consent to retain and update terrabytes of customer data.

With Route1, candidates fill out their own sign up screen and keep their data updated and current: It is their data and they control it. At every stage.

Monitoring consents and opt-outs

To comply with the GDPR, every time a recruiter contacts a candidate, it must give the candidate the option to unsubscribe or opt out from future communication, and be able to track and enforce that opt-out.  Candidate opt-outs must be enforced across all internal communications, and recruiters will need to ensure that after opting out candidates are not contacted again (unless they are able to justify a legitimate interest for a specific additional communication). This can be hard when teams of recruiters are often encouraged to work against each other to place candidates.

At Route1 we do not use pressure environments to generate “sales”. With Route1, candidates have default opt-out functionality because the Route1 candidate always elects to apply for roles – he or she is always in control.  For this reason, we don’t need to buy an expensive CRM system to ensure our candidate management and communication automatically tracks opt-outs. We built it into our business model two years ago.


We think the GDPR presents a compliance risk to employers from a sometimes frankly willfully non-compliant recruitment industry. At Route1, we want to reinforce talent supply chain legitimacy in the legal and professional services sector. Because Route1 was built to comply with GDPR from inception, we will never expose our clients to GDPR compliance risk. It will also take recruiters a long time to rebuild their non-compliant databases, wean themselves off a lifetime habit and learn to abide by an entirely different workflow process. Time that is valuable when a professional services employer has to fill roles, often at short notice. What is clear from our discussions with professional services providers is that as their margins are squeezed by their clients, and management’s scrutiny of costs becomes ever more acute, they are desperate for a faster, cheaper, more efficient recruitment solution that delivers talent to them. For them, Route1 is that solution, and at a pricing point that is 40% cheaper than traditional recruiters. The fact that we provide access to thousands of GDPR compliant candidates – and upon application all the things that add friction and time to the recruitment process such as CVs, references and academic transcripts – means our value proposition to them is significantly reinforced.


As we watched the data solution providers eagerly provide the recruitment industry and employers with GDPR webinars and teach ins, we spent some time talking to with Beamery, ( Beamery is a late-stage start up founded in London by Abakar Saidov, with offices in Austin, Texas and San Francisco. Beamery builds in-house external talent management software with a current focus on the Facebooks and the Amazons of the world – the latter now employing over 3,000 internal recruiters!

What has this got to do with the ATS? Well, we think that maybe a tool that came into being to police recruiters fighting over commission now may have its days numbered. This is because the GDPR will make the likelihood of recruiters entering into dispute with an employer over commission pretty unlikely.  How can there be a dispute around candidate ”ownership”, where under the GDPR a recruiter will need to demonstrate that a candidate has given it explicit consent to approach an employer? In a post GDPR world, the situation where two recruiters fight over candidate credit is likely to result in grounds for a complaint to the Information Commissioners Office by the candidate than a dispute with an employer over commission.

So rather than get an upgrade to an expensive, and now largely redundant ATS product that is about to be enhanced with expensive “new improved” add-on GDPR compliance functionality, why not just use our award winning platform’s employer dashboard? We provide this proprietary “ATS” for free. We do so because the cost savings from a platform solution like Route1 removes the need for armies of cold callers and “researchers” from the recruitment process. And because we are award winning innovators, we are now planning its development into a GDPR compliant talent acquisition and management CRM tool.

We have previously worked with management consultancy firms and investment banks to seek to address their internal talent CRM challenges. Now maybe the broader professional services community would like external as well as internal talent CRM functionality in their talent management platforms. The threshold question here is “do clients have demand for such a tool”? So before heading down this path, we asked our key clients whether, in the brave new post GDPR world, they wanted this given the enhanced compliance risk? Maybe they didn’t want to extend their engagement from internal resources to active job seekers and out to additional constituencies such as summer vacation students, interns and other potential talent pools.

Well, not surprisingly, given that the battle for quality white collar talent acquisition is now starting earlier and earlier in a potential employee’s career, the legal and accountancy firms we talked to said they did want to do this. And some legal clients also indicated that they would like this talent CRM functionality to help them build white labelled alumni networks, possibly to leverage into contractor solutions. So as we continue this part of our development, and if you are interested in learning more about the development our new talent CRM tool, then please get in touch with me at

James Cole
Route1 Founder

Route1 is an award winning marketplace for legal talent. For any questions, please contact our Engagement Team or visit our Contact Us page for more information.


We have big ambitions to permanently change the way people hire and get hired, both in the legal and other white collar sectors, using GDPR compliant, content-rich, value-added recruitment techniques. We place transparency, charity, and candidate control at the heart of our model.

Route1 was founded in the UK in 2015 and is headquartered in London. Our founders and investors include experienced lawyers, digital entrepreneurs, recruitment consultants and HR professionals.

Route1 is an award winning marketplace for legal talent. For any questions, please contact our Engagement Team or visit our Contact Us page for more information.

More Insights
Route1 Market Report Q4 2018
How to resign, gracefully
How to put together a Deal Sheet
GDPR supply chain compliance risk in legal recruitment - and how to manage it

Our Partners