Skip to main content

GDPR is now creeping up the list of priorities for 2018 for businesses across the country. With that in mind I invited Rachael Oakley from law firm Osborne Clarke, to present to a roomful of graduate recruiters at the recent GRN event to give them a handle on this legislation that becomes compulsory on 25th May 2018.

What is a complex piece of legislation was neatly distilled into three main take ways for graduate recruiters to begin to explore along with key action points.

1.       Consent

Previously under the DPA 1998 consent can legitimise the processing of ordinary and sensitive personal data, however under GDPR consent must be: Freely given, specific, informed and unambiguous indication by a statement or by clear affirmative action. You are required to seek positive opt-in and give the ability to withdraw.

Requests for consent must be:

•          clearly distinguishable from other matters
•          in an intelligible and easily accessible form
•          use clear and plain language

Consent can be withdrawn at any time:

•          must be as easy to withdraw as to give
•          data subject must be told upfront this is possible (privacy notice)


Identify justification(s) for processing data:

•       Legitimate interests?
•       Processing is necessary for performance of a contract or to take steps to enter into a contract?
•       Legal obligation?
•       Consider impact on privacy notices

2.       Privacy Notices

Previously under the DPA 1998 you only had to publish high level information to employees, contractors, job applicants etc. about data processing now under GDPR there is a much higher level of transparency. Privacy notices must be concise, transparent, easily accessible and given in plain language.

Privacy notices must explain;

•       The identity and contact details of data controller
•       Categories and source of personal data
•       Purposes and legal basis for processing – If legitimate interests, these must be specified
•       Recipients or categories of recipients
•       The period the data will be stored
•       Data subject rights: access, rectification, erasure, objection, portability and ability to complaint to regulator
•       The legal basis for transfer to a non-EU country


•       Ensure your privacy notice is GDPR compliant to avoid argument of unlawful processing
•       Ensure notices contains mandatory information and are issued to staff ahead of GDPR taking effect
•       Ensure that notices are easily understandable and accessible
•       Keep notices under review to ensure they accurately capture new data types or changed uses 

3.       Third Party Contracts

This is where recruiters who outsource to a third party need to pay close attention. GDPR stipulates much greater contractual controls with prescriptive requirements for binding contracts. Specific clauses must be included with consent to using subcontractors. The data controller decides whether data should be deleted or returned on termination. There is support for the controller by providing evidence of compliance and audits and notification of any instructions that breach the GDPR or DP laws. 

Outsourced providers have direct responsibility for compliance

•       Direct obligations on data processors:
•       Obtaining data controller's consent before sub-contracting any data processing
•       maintaining records of processing activity carried out on behalf of data controller (including any transfers of personal data out of the EU)
•       Ensuring appropriate data security and breach notification systems are in place
•       Appointing a data protection officer (where applicable)
•       PLUS processor's liability to others only where non-compliant 


•       Review arrangements with third parties and ensure they are GDPR compliant – data remains your responsibility!


1.             Compliance requires board level 'buy-in'
2.             Do you have a cross functional team – IT / Compliance / Legal / HR / Finance / PR?
3.             Data mapping:  Review existing HR data – What is it? Where is it? Who has access? What processes/systems/protections are currently in place?
4.             Do current practices meet GDPR requirements? Understanding of e.g. legal basis for processing data
5.             Assess high risk areas as priority (reason for processing/data sharing/transfer of data etc)
6.             Action plan for addressing risk:  target high level risk areas first
7.             Address risk (minimisation/pseudonymise/security)
8.             Review and amend (or implement new) privacy notices
9.             Review and amend contracts of employment, handbooks and policies
10.          Develop and implement internal DP policy incl policy (and timeline) on handling data breaches
11.          Employee engagement and training (general and frontline training, employee awareness, works councils/trade unions?)
12.          Keep an eye on the ICO website (and OC!) for new guidance and progress of Data Protection Bill through House of Lords and beyond

 For further information please contact Dan Hawes at GRB on 01273-200411 or Rachael Oakley at Osborne Clarke can be reached on 20 7105 7678 or

Dan Hawes is the Marketing Director at Graduate Recruitment Bureau. He hopes to enlighten students, graduates and employers with his wisdom from over 20 years in the industry.  

Latest Recruiter Blog Posts

For the last 22 years my day job has been running GRB - a company with 65 staff across two offices that supply first class graduate to mid-level talent all year round. Needless to say, it takes it out...

Read more
Student Recruitment

GRB has partnered with Voxburner to be a part of the 9th edition of Youth Marketing Strategy (YMS) on April 16th-17th, the world’s leading youth marketing festival, offering two days of keynotes,...

Read more

The last few weeks have been busy in the world of recruitment with the Recruitment Expo at Olympia, the Institute of Employers (ISE) AGM and The CIPD Talent Acquisition Conference at The Montcalm...

Read more