Skip to main content
UK Compliance16 June 2026 · 9 min read

UK GDPR for Recruitment Agencies: What Your CRM Should Do For You

Most recruitment CRMs treat GDPR as your problem to solve manually. UK data protection law does not require that. This guide covers lawful basis for candidate data, consent vs legitimate interest, retention periods, and the right to erasure — and shows which parts your CRM should handle for you rather than leaving to spreadsheets and reminders.

By The ATSpro Team

Every UK recruitment agency processes personal data at scale — CVs, contact details, salary expectations, interview notes, right-to-work documents. That makes data protection law non-negotiable, and it makes your CRM either your biggest liability or your biggest safeguard. The difference is whether compliance is *built in* or bolted on as a set of manual chores nobody has time for.

This is a practical guide, not legal advice. It walks through the parts of UK GDPR that actually bite for agencies, and — because the question we get asked most is "what should the software do?" — flags where a modern recruitment CRM should carry the load for you.

Lawful basis: the question you must answer first

Under UK GDPR you cannot hold candidate data just because you happen to have it. You need a lawful basis for processing. For recruiters, two matter most: consent and legitimate interest.

Consent is what most agencies assume they need, but it is often the weaker choice — it must be freely given, specific, and as easy to withdraw as to give. Legitimate interest is frequently more appropriate for sourcing and placing candidates, provided you have done (and can show) a legitimate interest assessment that balances your commercial interest against the candidate's rights.

Where you do rely on consent — most commonly for marketing communications — it has to be provable. "We think they opted in at some point" is not a defence. You need to know when consent was given, what it covered, and provide a frictionless way to withdraw it.

  • Double opt-in for marketing consent, so there is a verifiable record of the candidate confirming.
  • A timestamp and scope stored against the record, not in a mailbox somewhere.
  • A one-click, no-login unsubscribe / opt-out that updates the record automatically.
  • Merge tags in every send path so a consent link is never accidentally omitted from a campaign.

ATSpro implements marketing consent as a double-opt-in system with signed tokens, a public consent endpoint, and a per-candidate opt-out flag that every send path respects — so a consent breach cannot happen simply because someone forgot a step.

Retention: holding data forever is a breach waiting to happen

GDPR's storage limitation principle says you should not keep personal data longer than you need it. Agencies routinely fall foul of this by keeping every candidate forever "just in case". You need a defensible retention policy and a way to enforce it — flagging or purging records that have gone stale beyond your stated period.

This overlaps neatly with data hygiene: the same stale records that create GDPR exposure are also the ones quietly rotting your database. We cover that in Data Decay Is Costing You Placements.

The right to erasure and subject access

Candidates can ask to see the data you hold on them (a subject access request) or to have it deleted (right to erasure). You must be able to honour both — and crucially, deletion has to be complete. A soft-delete that leaves the candidate visible in a raw report or an old pipeline is not erasure.

Data residency: where your candidates actually live

For a UK agency handling UK and EU candidate data, where that data is hosted and processed matters. US-centric platforms create genuine questions about international transfers that a UK-first tool simply sidesteps. This is one of the clearest reasons UK agencies increasingly prefer software built for their jurisdiction rather than retrofitted to it.

The bottom line

Good compliance is not about a folder of policies you wrote once. It is about the day-to-day system making the compliant path the easy path: a lawful basis on every record, provable consent, enforced retention, complete erasure. When the CRM does that quietly in the background, GDPR stops being a source of dread and becomes something you can actually evidence when a client or the ICO asks.

ATSpro builds the full UK compliance stack — Reg 15/17, Right to Work, GDPR and blind recruitment — into the base product at £49/user/month, rather than charging for it as an add-on.

Frequently asked questions

What is the lawful basis for holding candidate data under UK GDPR?
The two most relevant lawful bases for recruitment are consent and legitimate interest. Legitimate interest is often more appropriate for sourcing and placing candidates, provided you have carried out and documented a legitimate interest assessment. Consent is typically used for marketing communications and must be freely given, specific, and easy to withdraw. Your CRM should record the lawful basis against every candidate record as a structured, reportable field.
How long can a recruitment agency keep candidate data?
UK GDPR's storage limitation principle requires that you keep personal data no longer than necessary for the purpose. There is no fixed statutory period for recruitment, so you must set and document a defensible retention policy and enforce it — flagging or removing records that exceed your stated retention period rather than keeping every candidate indefinitely.
Does a soft-delete satisfy the right to erasure?
No. A right-to-erasure request requires complete removal of the candidate's personal data. A soft-delete that leaves the record visible in search indexes, reports, exports, or old pipelines does not satisfy erasure. Deletion must propagate across every system that holds the data.
Is a UK-hosted recruitment CRM better for GDPR compliance?
For agencies handling UK and EU candidate data, a UK-first platform avoids the international transfer questions that arise with US-centric software. Where and how data is hosted and processed is a genuine compliance consideration, which is why many UK agencies prefer software built for their jurisdiction rather than retrofitted to it.

Keep reading

Data & CRM HygieneData Decay Is Costing You Placements (And You Cannot See It Happening)Recruitment data decays silently — people change jobs, emails bounce, numbers die. Here is what data decay costs UK agencies in missed placements, and how a living database keeps candidate records accurate without manual clean-up.Agency GrowthWhy Your CRM Should Make Standalone CV Formatting Software RedundantMost agencies pay for separate CV formatting software on top of their recruitment CRM. Here is why branded CV formatting should be built into your ATS — and what goes wrong when it is bolted on or done by hand.Switching & MigrationWhy UK Agencies Are Leaving Enterprise Recruitment CRMsEnterprise recruitment CRMs are expensive, add-on-heavy, and often US-built. Here is why a growing number of UK agencies are switching to simpler, transparent, UK-native software — and what to check before you move.

See ATSpro on your own data

A UK recruitment CRM at £49/user/month — AI assistant, 14 background agents, full UK compliance, free migration. Book a 20-minute demo with the founder.

14-day free trial · No credit card required · Cancel anytime