Recruitment agencies process some of the most sensitive personal data in any industry: criminal record checks, identity documents, health clearances, references from previous employers.
Under GDPR, collecting this data is only the beginning. The obligations around storage, access, retention, and deletion are where most agencies fall short.
The data retention problem
GDPR requires that personal data is kept only for as long as it’s necessary for the purpose it was collected. For compliance data, this creates a tension: you need records for audit purposes, but you can’t keep them indefinitely.
Most agencies don’t have a systematic retention policy. Documents accumulate. Candidate records from years ago sit in shared drives. DBS certificates — which should never be retained for more than six months — remain on file indefinitely.
Access control gaps
Who in your organisation can access a candidate’s DBS certificate? Their health records? Their Right to Work documents?
In many agencies, the answer is: anyone with access to the shared drive. Or anyone with the CRM login. GDPR requires that access to personal data is limited to those who need it for their role — and that access is logged.
Subject access requests
When a candidate asks what data you hold on them — a Subject Access Request — you have 30 days to respond with a complete, accurate answer.
If your data is spread across spreadsheets, email attachments, and multiple systems, compiling that response is a significant manual exercise. And getting it wrong is a compliance failure in its own right.
What a compliant system looks like
A purpose-built compliance platform stores all candidate data in a single, structured system. Retention policies are enforced automatically. Access is role-based and logged. Subject Access Requests can be fulfilled with a single query.
GDPR compliance becomes a property of how the system works — not an additional process layered on top.