UK GDPR for Recruitment Agencies: What Your CRM Should Do For You
Most recruitment CRMs treat GDPR as your problem to solve manually. UK data protection law does not require that. This guide covers lawful basis for candidate data, consent vs legitimate interest, retention periods, and the right to erasure — and shows which parts your CRM should handle for you rather than leaving to spreadsheets and reminders.
Every UK recruitment agency processes personal data at scale — CVs, contact details, salary expectations, interview notes, right-to-work documents. That makes data protection law non-negotiable, and it makes your CRM either your biggest liability or your biggest safeguard. The difference is whether compliance is *built in* or bolted on as a set of manual chores nobody has time for.
This is a practical guide, not legal advice. It walks through the parts of UK GDPR that actually bite for agencies, and — because the question we get asked most is "what should the software do?" — flags where a modern recruitment CRM should carry the load for you.
Lawful basis: the question you must answer first
Under UK GDPR you cannot hold candidate data just because you happen to have it. You need a lawful basis for processing. For recruiters, two matter most: consent and legitimate interest.
Consent is what most agencies assume they need, but it is often the weaker choice — it must be freely given, specific, and as easy to withdraw as to give. Legitimate interest is frequently more appropriate for sourcing and placing candidates, provided you have done (and can show) a legitimate interest assessment that balances your commercial interest against the candidate's rights.
Consent that actually holds up
Where you do rely on consent — most commonly for marketing communications — it has to be provable. "We think they opted in at some point" is not a defence. You need to know when consent was given, what it covered, and provide a frictionless way to withdraw it.
- Double opt-in for marketing consent, so there is a verifiable record of the candidate confirming.
- A timestamp and scope stored against the record, not in a mailbox somewhere.
- A one-click, no-login unsubscribe / opt-out that updates the record automatically.
- Merge tags in every send path so a consent link is never accidentally omitted from a campaign.
ATSpro implements marketing consent as a double-opt-in system with signed tokens, a public consent endpoint, and a per-candidate opt-out flag that every send path respects — so a consent breach cannot happen simply because someone forgot a step.
Retention: holding data forever is a breach waiting to happen
GDPR's storage limitation principle says you should not keep personal data longer than you need it. Agencies routinely fall foul of this by keeping every candidate forever "just in case". You need a defensible retention policy and a way to enforce it — flagging or purging records that have gone stale beyond your stated period.
This overlaps neatly with data hygiene: the same stale records that create GDPR exposure are also the ones quietly rotting your database. We cover that in Data Decay Is Costing You Placements.
The right to erasure and subject access
Candidates can ask to see the data you hold on them (a subject access request) or to have it deleted (right to erasure). You must be able to honour both — and crucially, deletion has to be complete. A soft-delete that leaves the candidate visible in a raw report or an old pipeline is not erasure.
Data residency: where your candidates actually live
For a UK agency handling UK and EU candidate data, where that data is hosted and processed matters. US-centric platforms create genuine questions about international transfers that a UK-first tool simply sidesteps. This is one of the clearest reasons UK agencies increasingly prefer software built for their jurisdiction rather than retrofitted to it.
The bottom line
Good compliance is not about a folder of policies you wrote once. It is about the day-to-day system making the compliant path the easy path: a lawful basis on every record, provable consent, enforced retention, complete erasure. When the CRM does that quietly in the background, GDPR stops being a source of dread and becomes something you can actually evidence when a client or the ICO asks.
ATSpro builds the full UK compliance stack — Reg 15/17, Right to Work, GDPR and blind recruitment — into the base product at £49/user/month, rather than charging for it as an add-on.