The GDPR and the recruitment industry – the game is up, its time to comply!

24 October 2017


Following the explosion of publicly searchable social media platforms in the last decade, the way the recruitment industry uses candidate data has changed significantly. The rapid adoption of platforms like LinkedIn means that recruiters no longer need to rely as much as they used to on a proprietary database of candidate information. LinkedIn has become the go-to source for many recruitment agents, acting as it does as an outsourced, up to date database tool. But what about recruiters’ legacy databases, that often contain richer, more specific candidate data? Most recruitment agencies still keep them, and agents are still wedded to them, with search firms keeping significant amounts of non-public and sometimes non-candidate sourced and unverified candidate (and in some cases, employer) data on their databases.

At present, the compliance burden of keeping such data has been relatively light, but from next May, industry participants will have to ensure that the databases and processes they use to store and process personal data are compliant with the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”, or the “Regulation”), and reconsider how they intend to use personal data going forward.

The GDPR is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). The primary objectives of the GDPR are to give citizens and residents back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

How the GDPR affects recruitment agencies

Recruitment agencies generally maintain a database of personal data and are therefore “data controllers” both under current legislation as well as the new Regulation. “Personal data” under the GDPR is defined by the European Commission as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

The GDPR is not simply a minor compliance issue for recruitment agencies – it threatens their current business model, which involves the unsolicited contact of candidates, and maintaining candidates’ personal data without their express consent.  Under the GDPR, once a recruitment agent obtains personal data relating to its candidates, it is automatically subject to regulations regarding:

– Data controller responsibility and accountability
– Candidate consent rights
– Candidate rights to access requests
– Candidate rights to erasure
– Candidate rights to portability

This means that the days of “trawling “, where recruiters use vague job descriptions to generate leads from candidates who may not be actively looking for a job, will soon be over. This will lead to much greater consideration around candidate data privacy, and should result in a flight to quality driven consultancy advice directed at candidates who have already expressed an interest in an identifiable job.

The Route1 model

At Route1, we operate an online marketplace connecting lawyers and legal employers. We remove the need for cold calling by agents, because we provide candidates with details of the jobs that candidates have determined are relevant to them. We represent over 200 legal employers, including six of the top ten leading global law firms, and over 8500 individuals have used our platform to date.

We designed Route1’s architecture from scratch in 2016, and because we were a new market entrant, we did not use legacy systems for storing our candidate data. As a result, our proprietary database tools were the first GDPR compliant recruitment tool available in the UK. It was partially our focus on data protection compliance that was the reason we won Thomson Reuters’ “Legal Marketplace of the Year” at last year’s Legal Geek awards.

On our platform, candidate information is provided by the candidates themselves, and they “control” use of their data.  Our goal is not to replace recruitment consultants but augment their search function, efficiency and database functionality to ensure that the way they treat their candidates is, at a minimum, in compliance with the law and at best, value additive.  Using the Route1 business model also means that recruitment firms will no longer have to pay cold calling overheads in order to substantiate their historic 25-30% commission fee levels. We  realized fairly quickly that the GDPR was going to be a significant challenge to traditional recruiting methods and could in time potentially invert the decision/solicitation process, particularly around associate recruitment in the legal sector.

Route1 sources all public job posts from employers who have signed up to our platform, and we ensure a candidate only receives what he or she chooses to, having set their own filters on job type, location and package. It is therefore the candidate who always institutes engagement, and this is why Route1 not only empowers the candidate but reduces poor recruiter behavior, such as trawling, that is based on marketplace information asymmetry.

Once job advertisements are public – and combination of website self-advertising and aggregating job boards means that this is now generally the case – our platform helps the candidate select the job, and it is only after an expression of interest by them that a recruiter can step in to manage the hiring process with a “warm” candidate, and at their election. The GDPR operates to reinforce this model, as its policy goal is to put the data subject – in this case the candidate – in control of how its data is used.

Responsibility and accountability

In order to be able to demonstrate compliance with the GDPR, recruitment agents must implement measures which meet the principles of data protection by design and data protection before May 2018. Privacy by Design and by Default principles (GDPR Article 25) require that data protection measures are designed into the development of recruitment processes as they relate to personal data. This means that from next May, “traditional” recruitment firms must adhere to certain principles: their system privacy settings must be set at a high level by default, and technical and procedural measures should be adopted by them in order to make sure their data processing complies with the Regulation.

One way to implement such measures is to pseudonymise personal data as soon as possible after receipt (GDPR Recital 78), with pseudonymisation being a process that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject. Candidate information is capable of identifying the data subject, so this avenue of compliance is not available to “traditional” recruitment firms. Route1’s business model involves candidates consenting to an anonymised profile being provided to the platform in order to match with job specifications, and therefore is developed under the GDPR’s Privacy by Design principles. This anonymisation also enables Route1’s key strengths over traditional recruitment firms to be used without the need for candidate consent. Using a platform solution means we can see how our candidates behave as a group; what content they interact with, what elements of job descriptions (i.e. salary) they engage with, when they elect to search the platform, how where they are located affects all these and other metrics etc. These analytical marketplace tools, which are of considerable value to our employers, are not available to traditional recruiters who use passive databases to hold candidate data.

Candidate consent

Valid consent by a candidate must be explicit for data to be collected, and the purposes for which data is to be used must be set out clearly (GDPR Article 7). Recruitment agencies must therefore be able to prove “consent” (opt-in) has been granted by their candidates. Furthermore, candidates must be able to withdraw consent at any time and have their data erased. This is fundamentally challenging for many recruitment agencies, as the candidates on their databases are often unaware of even being on a recruiter database to begin with. On-boarding candidates in future will, for example, now require a script and documented consent from a “cold call” to potential candidates. This notice requirement must include an indication of retention time for a candidate’s personal data and the contact information for the recruitment firm’s data controller (and, if required, a data protection officer).

Previously, extensive candidate information was power in this market, but it will now carry a significant compliance burden as recruitment firms must shed their historic databases, and re-sign up their legacy candidates. Re-signing up candidates will be a challenging prospect, because most potential candidates are unaware that their data may sit on any, let alone a number of recruitment agencies’ databases. There is the danger that in the coming months they will be prompted by a number of agencies to request submission of their details and consent to use of their data. Candidates may choose to comply with the first one or two such requests, but it is unlikely they will want to do so for a large number, and especially from agencies that may not have been in contact with them for some time. As a result, we believe there is likely to be a “race to compliance”, as the more savvy recruiters realise that candidates will be bombarded by unsolicited requests to “re-sign” up, and that they must be one of the first to seek their consent. We are already seeing some recruitment agencies begin this process, and believe that this process should lead to consolidation in the market. The agencies that survive this process will be the ones who take compliance seriously and seek to promptly comply with the GDPR, rather than the ones who leave it to the last minute and who will suffer from candidate re-sign up fatigue as a result.

Candidate access and erasure requests

The GDPR requires prompt responses from recruitment firms when a candidate makes a data subject access request. There is likely to be a wave of data subject access requests to recruiters once the GDPR and the rights it grants to individuals becomes more widely known. Historically, much of the initial contact candidates have with recruiters is unsolicited, and therefore the level of subject access requests may be high. Recruitment firms must have procedures in place to promptly respond to these requests. Some recruiters we have spoken to are now urgently “weeding” their database to ensure they have currently relevant data before seeking their candidate’s consent to hold the same, but many are not – and the value of legacy data that has been held for some time is now becoming increasingly questionable. The last thing a recruiter will want in a transparent and highly competitive environment is to demonstrate just how old and erroneous much of the data held by it might be.

Because Article 17 enables a candidate to request erasure of personal data related to him/her held by a recruitment firm on any one of a number of grounds including non-compliance with article 6.1 (lawfulness), it is highly unlikely that a candidate who never gave consent to having his or her personal data being held in the first place will simply accede to a request to consent to the same being made for GDPR compliance purposes. It is even more unlikely that such a candidate will accede to re-signing up with a recruiter if they are presented with erroneous information that has been used to “represent” them on an unsolicited basis in the recent past, following a data subject access request. So the key message to recruiters is to get weeding, and fast.

Because Route1 is an open platform, we allow our candidates to search and update their own data at any time, which means we never have this problem, and we never have to ant weeding, unless it is to remove trolls (generally recruiters!) who pretend to be solicitors to gain job information. For “traditional” recruitment firms, open access architecture will probably have to become part of their way of doing business going forward unless they want the cost and burden of actively maintaining and updating their database. However, open access architecture fundamentally challenges the behaviour of some recruitment agents, who generally benefit from information asymmetry in the hiring process. We believe that as a result, the implementation of the GDPR, and the adoption of platforms like Route1, will lead to the culling of less reputable recruitment agents – and fewer sharp practices – in the market going forward.


Finally, under Article 20 of the GDPR, a candidate must be able to transfer its personal data from one electronic processing system held by a recruitment firm into another, without being prevented from doing so by the legacy data controller. In addition, the data must be provided by the recruitment firm in a structured and commonly used open structure electronic format. This right fundamentally challenges the value proposition of building a candidate database at all for a recruitment agency, if a candidate can simply insist that data held on it can be transferred at will.

Route1 is built using a “commonly used open structure electronic format” and we do not truly “hold” candidate data in the traditional sense. We are therefore easily able to accede to a portability request because our business model relies on transparency and limited use of candidate data – again, the candidate controls the process, and not the intermediary.

Effect of GDPR breaches

To focus minds in the recruitment sector, we set out below the costs of non-compliance with the GDPR. They are significant, with the following sanctions capable of being imposed:

– a warning in writing in cases of first and non-intentional non-compliance;
regular periodic data protection audits;

– a fine up to  €10,000,000 or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater; and

– a fine up to €20,000,000 or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.

– It’s not all gloom: how to turn a threat into an opportunity

It is clear from Route1’s research that many in the recruitment industry were slow to identify the significant implications that the GDPR has for their use of candidate data, and the threat it presents to their business model. We believe most recruitment agencies will have to completely rebuild their databases and business processes in the next seven months or face reputational damage and worse – the risk of significant and public sanctions.

At Route1, we were among the first to identify this regulatory and compliance challenge for the UK recruitment industry, and in particular the legal recruitment industry. We have designed and built the only bespoke GDPR database solution for recruitment, that has the capability of tracking enhanced analytics, and that is scalable across all recruitment verticals. The trade-off with Route1 as a GDPR solution is between “losing” candidates on re-signing but gaining a platform that is far more insightful and data rich, and in real time, than a traditional passive database.  Using Route1, recruiters and employers will be able to see how, when and which candidates respond to their communications, and how specific candidates engage with the platform, enabling the advertisement and terms of available positions to be finessed in order for employers to obtain talent quickly and effectively.

Recruiters will have to trust their faith in their candidate relationships as they solicit them to re-sign up to a GDPR compliant database. Using an open architecture platform where the candidate initiates contact and elects to use a recruiter will take some adjustment, but the GDPR will be forcing these changes on the industry in any case. It will be the early adopters of a GDPR compliant platform solution, armed with data analytics, who will reap the benefits after GDPR implementation.

For more information about Route1 and its GDPR compliant platform recruitment solutions, contact James Cole.

James Cole
Route1 Founder

Route1 is an award winning marketplace for legal talent. For any questions, please contact our Engagement Team or visit our Contact Us page for more information.


We have big ambitions to permanently change the way people hire and get hired, both in the legal and other white collar sectors, using GDPR compliant, content-rich, value-added recruitment techniques. We place transparency, charity, and candidate control at the heart of our model.

Route1 was founded in the UK in 2015 and is headquartered in London. Our founders and investors include experienced lawyers, digital entrepreneurs, recruitment consultants and HR professionals.

Route1 is an award winning marketplace for legal talent. For any questions, please contact our Engagement Team or visit our Contact Us page for more information.

More Insights
Route1 Market Report Q4 2018
How to resign, gracefully
How to put together a Deal Sheet
GDPR supply chain compliance risk in legal recruitment - and how to manage it

Our Partners