Accessibility tools

How to ensure GDPR compliance for your recruitment website

How To Ensure Gdpr Compliance For Your Recruitment Website 01 Hole
Lauren Mccue
by Lauren Mccue

What GDPR means for your recruitment agency

​Ensuring regulatory compliance is a necessary burden for anyone working in recruitment. Keeping your processes legally compliant takes work, and online there are even more potential weak spots and pitfalls.

The complexity of regulation on data protection can be a hazard for agencies to navigate. At Access Volcanic our specialism is UK recruitment website design, so we've created this guide to data compliance in recruitment with a focus on what this means for your digital data capture.

Read on to find out:

· What GDPR means for recruitment agencies

· A short introduction to other regulation on data protection

· Why data compliance is important for recruitment websites

· Tips to keep your website compliant

· And how Access Volcanic websites help you adhere to data protection laws

To learn how to better protect your recruitment website, let's start by taking a look at the basics of data compliance regulations.

What are data privacy protection regulations?

Many countries have data privacy protections written into local laws. "Data privacy" is the idea that people should have rights to how their digital information gets stored and shared.

To generalise, most regulation on data protection will cover these points:

1. Personal data must be obtained lawfully

2. Data can only be used for the stated reason for which it was collected

3. People have rights over their personal data, including the right to amend or erase it

Staying on top of the complexities of data compliance can get dizzying quickly. And there’s more than one set of laws to think about. GDPR consent for recruitment agencies might be top of the list for UK recruiters, but there are other laws in different geographies you may need to consider.

Here's a brief overview of what you need to know about different data compliance regulations, starting with GDPR for recruitment.

What GDPR in recruitment means for your agency

Data compliance must be a high priority for recruitment agencies. Like any business, you’ll be dealing with financial records, client confidentiality, and other information that should be guarded.

But recruitment agencies also process tonnes of data about candidates, including sensitive personal data like contact information and identity documents.

One set of laws governing the use of this sensitive data is GDPR. The General Data Protection Regulation (GDPR) is a set of requirements around data processing and privacy protection.

It states that businesses must protect the sensitive data of European Union citizens collected within EU member states. It also controls if and how that data can be exported outside of the EU.

Which recruitment agencies must be GDPR compliant?

GDPR in recruitment and data privacy laws will apply to your recruitment agency if:

1. It processes data in an EU-based branch and/or

2. It does business in the EU

Even without an office in the EU, any recruitment agency that collects personal data on EU citizens will have to navigate these requirements. GDPR also regulates how your agency can process that data, no matter where you are located.

For example, if a US recruitment agency wants to target the German market and opens up applications to candidates there, GDPR regulations then apply.

What personal data must be protected under GDPR?

Broadly speaking, any information that can be used to identify a person counts as data that should be protected under GDPR.

This would include simple identifiers like a personal name, location, or ID number. It also includes digital identification like IP addresses and data from cookies.

Even if some information might not seem personal, like an online username, it can still need data protection if it can be traced back to identify that person.

When it comes to personal sensitive data, GDPR has an even more strict set of limits. We recommend being extra careful with managing consent for data in this category.

What counts as personal sensitive data is:

1. Genetic data

2. Biometric data

3. Health information

4. Racial or ethnic origin

5. Sexual orientation

6. Political, religious, or philosophical beliefs

7. Trade union membership

Whilst running a recruitment agency, it will be apparent just how much data is collected in your day-to-day operations. This is true in the obvious ways like collecting candidate information on applications.

But even if someone visits your recruitment website and doesn’t fill out any forms, some of their data is still there in the form of an IP address and cookies.

Your recruitment agency can still be legally accountable for that data. This is why it’s so important to think ahead and plan for data compliance.

What are the general rules for meeting GDPR compliance for a recruitment website?

There are seven main principles of GDPR. Sticking to GDPR for recruitment could cover a wide range of activities, but taking a digital first approach makes sense in order to uphold compliance for agencies today.

Here’s a summary of the seven principles in relation to your recruitment website:​

Lawfulness, fairness and transparency​

Collect data legally and make sure website visitors know what they sign up for.​

Purpose limitation ​

Only use the data for what you said you would.​

​Data minimisation

Request just the minimum data you need.​


Keep data up-to-date and erase what’s old.​

Storage limitation ​

Limit the amount of time that you keep personal data.​

​Integrity and confidentiality

Only share data on a need-to-know basis within your agency.​


Maintain audit trails and show your ability to meet compliance.​

What other data compliance laws should I know?

Around the world, 137 of 194 countries have data compliance laws in place.

No one article could cover each of these regulations in detail. But depending on the markets your agency covers, you might look more into some of these regulations: 1. Data Protection Act of 1998 (UK) 2. Privacy Act 1988 (Australia) 3. Protection of Personal Information Act (South Africa) 4. Telecommunications-Telemedia Data Protection Act (Germany)

We wrote this article to give a grounding on the various data compliance requirements facing recruiters. If your recruitment website sticks with the principles below, you should have a good foundation to meet most of these data privacy laws.

Why is data compliance important for websites?

The risks of improperly handled data are high for individuals, businesses, and governments.

For your recruitment agency website, the legal and financial impact of getting data compliance wrong can be a worry.

If you drop the ball on data privacy, some of the risks you run are:

1. Fines. When data is compromised, punishing fines are likely to result. A GDPR violation could cost your business up to an eye-watering £17.3 million or 4% of turnover, whichever value is greater.

2. Loss of reputation. Poor data compliance won't reflect well on your business. Candidates and clients might head out if your agency can't be trusted to protect their data.

3. Security breaches. Bad actors finding personal data is a real risk for agencies. It's not always possible to stop every breach, but businesses should take reasonable precautions.

If you’re still wondering, 'Do I need data compliance for my recruitment website?' The short answer is: yes.

This isn’t just about legal regulations you’ll deal with as a recruitment agency. If you want to work with other digital services like Google Analytics, they also require you adopting good data privacy policies on your website.

How do I keep my recruitment website data compliant?

This is a general guide to making sure that your recruitment agency website is up to managing any data compliance challenges.

While these guidelines will help your website stay on top of data privacy we'd advise getting legal help, with other data compliance rules. Many of the rules will overlap, but you don’t want to trip over a specific point .

Our experience building recruitment websites has given us insight into the common ‘weak links’ of data protection.

We break down the precautions you can take with your website elements below, from contact forms to overall website security.

Contact forms

Website contact forms should be opt-in and collect only the minimum necessary personal data. In turn this will also offer a better user experience.

If you have a contact form on your ‘About Us’ page, for example, you'll need to protect the personal information collected there.

Include a tick box under the fields and a link to your terms and privacy policy. This lets site visitors consent to data collection, which is key for staying compliant.

For people who don’t want to enter their personal data in a form, try offering alternative forms of contact. Listing an office phone number and email is a simple solution.

Application forms

Your agency website is likely to have an integrated job board, delivering hundreds of applications with an incredible amount of sensitive personal data.

There are a few ways to ensure that all this personal information is handled correctly:

1. Add a privacy policy that says what rights the candidate has to update or erase their data

2. State how your agency will process that personal data

3. Create a process to store that data for a specified period of time, then erase it

4. Don’t store personal data in your website’s content management system – transfer it securely to your recruitment CRM

Marketing forms

Marketing updates and newsletters can be an effective way to promote your agency’s brand and open roles. But collecting contact information to send out communications is another data compliance point to manage.

Here’s how to stick to data compliance principles with these forms:

1. Separate out your permission requests. If a candidate uses a marketing form to download an eBook, for example, ensure that’s all they get - they shouldn’t end up on a mailing list for open roles unless they requested it.

2. Store info about opt-in consent for marketing lists. You’ll need this audit trail to prove that all people on your list are being contacted because they want to be, and are not being spammed.

Privacy policies

A well-written privacy policy will keep your website compliant. Keeping to data compliance regulations means notifying website visitors how their info is collected, what the data is used for, and how they can amend or delete the data.

To write a data-compliant privacy policy, try using these guidelines:

1. Include details of the website owner

2. Write exactly what personal data is being collected, by which methods, and why

3. Include whether third parties will have access to the data

4. Tell visitors how you’ll update them on any policy changes

5. Share how visitors can update or delete their personal data

6. Write the policy in simple language and make it easy to access

For more guidance on how to write a website privacy policy, you can use a free template from a reputable source or seek legal expertise via a recruitment trade body.

Website security

The security of your recruitment website affects data compliance too. If the website itself isn’t safe, you can be sure that the data that passes through it won’t be either.

Here are some common-sense website security best practices:

1. Get ISO 27001 certified

2. Encrypt the data on your website

3. Limit who within your agency has access to data from the website

4. Use SSL certificates to keep site pages secure

How Volcanic Access websites offer data protection

As we’ve worked to empower recruitment agencies around the world to improve their digital presence, we know how critical data compliance is for your website.

Our recruitment platform at Access Volcanic has been designed to offer inbuilt features to protect all parties that interact with it. We've incorporated the following elements to make data privacy and protection easier:

· Micro-services architecture to promote website security

· Website data storage in our Vault architecture to protect private information

· A granular permissions system to manage data access control

In addition to the platform security, our intuitive workflows make it easy to keep your business totally GDPR compliant. Volcanic sites can be implemented with consent capture, Subject Access Request (SAR) and Right to be Forgotten (RTBF) tools, with a full audit trail of actions undertaken.

To learn more about how Access Volcanic websites can protect your digital operations, request a tour of the platform.

Key takeaways

Our guide is a helpful overview of regulations on data compliance, written to offer you some starting tips on protecting your recruitment website and your agency.

To be absolutely sure of data compliance, we recommend seeking legal help as and when needed. Data compliance is a complicated topic, especially with wide-ranging regulations like GDPR, but some essential best practices are the first step to keeping your business compliant.

Try working with these basic data compliance principles to keep your website secure:

1. Be transparent in how your website collects data and info about its storage, use, and amendment

2. Store website data securely and for a limited period

3. Use opt-in consent for all site forms

4. Separate requests for data and use that data for just one purpose

5. Write a clear website privacy policy and make it easily available

6. Invest in the right website security to protect data

With some data privacy rules for your recruitment website in place, your agency should have a better handle on managing data compliance.

Back to all blogs