Critical GDPR Violations in Recruitment
Recruitment agencies handle some of the most sensitive personal data in business: CVs, passports, right-to-work documents, references, and salary histories. Yet most agencies still rely on email and shared drives — practices that create serious GDPR exposure.
Instant Fine Triggers (Fix These Now)
High-Risk Practices:
- • Emailing CVs unencrypted (85% of breaches start with email)
- • Storing candidate files on shared drives without access controls
- • No documented candidate consent records
- • Indefinite data retention with no deletion policy
GDPR Penalty Framework:
- • Up to £17.5M or 4% of global turnover
- • ICO enforcement actions increasing year-on-year
- • Reputational damage to agency brand
- • Candidate trust permanently lost
Even small agencies face proportionate penalties
The 10-Minute Compliance Fix
You don’t need a compliance team or expensive consultants to fix the biggest GDPR gaps. These four steps address the most common violations and can be completed in a single sitting.
Compliance Checklist (Complete in 10 minutes)
Switch to encrypted sharing links that auto-delete after viewing. This eliminates the biggest single vulnerability.
Remove access for non-essential staff immediately. Only recruiters actively working a role should see candidate documents.
Delete unsuccessful candidate data after 6 months, successful placements after 1 year unless consent is renewed.
Record when, how, and for what purpose candidates agreed to data processing. A simple timestamped log is sufficient.
GDPR-Compliant Document Collection
AES-256 encrypted upload links with automatic audit trails. Documents auto-delete after download.
Secure Candidate Document Workflow
A GDPR-compliant recruitment workflow doesn’t slow you down — it actually speeds up candidate onboarding by providing a clear, professional process that builds trust.
Compliant document collection by stage
Every document interaction should generate an audit trail entry. When the ICO asks how you handle candidate data, you need to show exactly who accessed what, when, and why — not just promise that you’re “GDPR compliant”.
Emergency GDPR Response
If the ICO contacts your agency, you have 72 hours to report a data breach and must demonstrate your compliance measures. Having a clear response plan is the difference between a warning and a fine.
If ICO Contacts You (Act within 72 hours)
- 1. Stop all unsecured document sharing immediately — switch to encrypted methods
- 2. Audit all candidate data access and document who has seen what
- 3. Compile your GDPR compliance measures — consent records, deletion schedules, security protocols
- 4. Engage legal counsel specialising in data protection — don’t respond to the ICO without expert guidance
- 5. Notify affected candidates if personal data has been compromised
The ICO looks favourably on agencies that can demonstrate proactive compliance measures, even if they’re not perfect. Showing that you’ve invested in encrypted document handling, automated deletion, and audit trails significantly reduces the risk of a maximum penalty.
Stop Emailing Sensitive Documents
AES-256 encryption. Auto-delete after download. No client accounts needed. GDPR compliant.
Written by the FileSeal security and compliance team. We specialise in document security, GDPR compliance, and data protection for UK professionals. Our guides are reviewed by industry practitioners and updated regularly.