Critical GDPR Violations in Recruitment
Recruitment agencies handle some of the most sensitive personal data in business: CVs, passports, right-to-work documents, references, and salary histories. Yet most agencies still rely on email and shared drives, practices that create serious GDPR exposure.
Instant Fine Triggers (Fix These Now)
High-Risk Practices:
- • Emailing CVs unencrypted (85% of breaches start with email)
- • Storing candidate files on shared drives without access controls
- • No documented candidate consent records
- • Indefinite data retention with no deletion policy
GDPR Penalty Framework:
- • Up to £17.5M or 4% of global turnover
- • ICO enforcement actions increasing year-on-year
- • Reputational damage to agency brand
- • Candidate trust permanently lost
Even small agencies face proportionate penalties
The 10-Minute Compliance Fix
You don’t need a compliance team or expensive consultants to fix the biggest GDPR gaps. These four steps address the most common violations and can be completed in a single sitting.
Compliance Checklist (Complete in 10 minutes)
Switch to encrypted sharing links that auto-delete after viewing. This eliminates the biggest single vulnerability.
Remove access for non-essential staff immediately. Only recruiters actively working a role should see candidate documents.
Delete unsuccessful candidate data after 6 months, successful placements after 1 year unless consent is renewed.
Record when, how, and for what purpose candidates agreed to data processing. A simple timestamped log is sufficient.
GDPR-Compliant Document Collection
AES-256 encrypted upload links with automatic audit trails. Documents auto-delete after download.
Secure Candidate Document Workflow
A GDPR-compliant recruitment workflow doesn’t slow you down, it actually speeds up candidate onboarding by providing a clear, professional process that builds trust.
Compliant document collection by stage
Every document interaction should generate an audit trail entry. When the ICO asks how you handle candidate data, you need to show exactly who accessed what, when, and why, not just promise that you’re “GDPR compliant”.
Right to Work: Collect, Check, Delete
Right-to-work documents are where recruitment data protection and immigration law meet, and where agencies most often over-collect and over-retain. The legal stakes are high: an employer who employs someone without the right to work can face a civil penalty of up to £60,000 per illegal worker, raised from £20,000 in February 2024.
The compliant right-to-work sequence
Use an online share code where available, or request the document through an encrypted link rather than email. The check must be completed before the candidate begins work to give a statutory excuse against the civil penalty.
Keep clear evidence of the check (the online result or a dated copy) for the duration of employment and for two years after it ends. That record, not a mailbox full of raw passports, is what demonstrates compliance.
Once the check is recorded, delete duplicate copies sitting in inboxes, chat threads, and downloads folders. Every extra copy is extra GDPR exposure for no compliance benefit.
The principle is “verify and minimise”: confirm the candidate’s status, keep proof that you did so, and hold nothing beyond that. An encrypted upload link that deletes the document after you have downloaded and recorded it makes this the path of least resistance rather than an extra chore.
How Long Can You Keep Candidate Data?
One of the most common questions recruiters ask, and one of the most common compliance gaps, is retention. There is no fixed legal period for keeping CVs and candidate documents. UK GDPR’s storage limitation principle simply requires that you keep personal data no longer than is necessary for the purpose you collected it.
Set a retention policy you can defend
The ICO does not mandate a number, but it does expect you to justify whatever you choose. A documented policy (for example, deleting unsuccessful applicants after a set period) beats an undocumented “we keep everything”.
If you keep a candidate’s details to consider them for future roles, that usually relies on consent or legitimate interests, and the candidate can withdraw or object. Keep only what that basis supports.
A policy nobody enforces is worse than none. Encrypted links that delete documents after download, plus calendar-driven purges of your own records, turn retention from an intention into a fact.
Honouring a candidate’s request to be deleted is far easier when their documents were never scattered across inboxes and shared drives in the first place. A single, time-limited, encrypted channel for collecting documents is the simplest way to keep retention under control.
Emergency GDPR Response
If the ICO contacts your agency, you have 72 hours to report a data breach and must demonstrate your compliance measures. Having a clear response plan is the difference between a warning and a fine.
If ICO Contacts You (Act within 72 hours)
- 1. Stop all unsecured document sharing immediately, switch to encrypted methods
- 2. Audit all candidate data access and document who has seen what
- 3. Compile your GDPR compliance measures, consent records, deletion schedules, security protocols
- 4. Engage legal counsel specialising in data protection, don’t respond to the ICO without expert guidance
- 5. Notify affected candidates if personal data has been compromised
The ICO looks favourably on agencies that can demonstrate proactive compliance measures, even if they’re not perfect. Showing that you’ve invested in encrypted document handling, automated deletion, and audit trails significantly reduces the risk of a maximum penalty.
Frequently Asked Questions
How long can a recruitment agency keep candidate data under UK GDPR?
There is no fixed statutory retention period for CVs and candidate documents. UK GDPR’s storage limitation principle requires that you keep personal data no longer than necessary for the purpose you collected it. In practice agencies set a documented retention policy, for example deleting unsuccessful applicants’ data after a defined period and keeping placement records only for as long as a lawful basis applies. The ICO expects you to be able to justify whatever period you choose.
What is the penalty for getting right-to-work checks wrong?
Employers who employ someone who does not have the right to work can face a civil penalty of up to £60,000 per illegal worker, raised from £20,000 in February 2024, alongside potential criminal liability. A correct right-to-work check carried out before employment begins gives a statutory excuse against the civil penalty, which is why the check, and a secure record of it, matters.
Do I need to keep a candidate’s passport on file after checking it?
You need to keep evidence that you carried out the right-to-work check, typically a clear copy or the online check result, for the duration of employment and for two years after it ends. You do not need to keep raw identity documents sitting in inboxes or shared drives indefinitely. Collect the document through an encrypted link, record the check, and delete the original copies you no longer need.
Is emailing CVs and right-to-work documents a GDPR risk?
Yes. Emailed documents persist in multiple mailboxes and on mail servers, often with no access control and no deletion, which is hard to square with UK GDPR’s security and storage limitation principles. Encrypted upload links that auto-delete after download, combined with an audit trail of who accessed each file, give you a defensible position if the ICO ever asks how you handle candidate data.
Stop Emailing Sensitive Documents
AES-256 encryption. Auto-delete after download. No client accounts needed. GDPR compliant.
Written by the FileSeal security and compliance team. We specialise in document security, GDPR compliance, and data protection for UK professionals. Our guides are reviewed by industry practitioners and updated regularly.
