GDPR and What you need to know


The General Data Protection Regulation (GDPR) comes into force on 25th May 2018, and with it, the most significant change in data protection legislation since the Data Protection Act of 1998.

We have a dedicated team of technical, legal and marketing experts, who have been working to ensure operates in full compliance with GDPR and without interruption or alteration to the services we offer.

Horus Patel, Director of Operations at, and a Certified GDPR Practitioner, heads up the team and has compiled a list of the most common questions we’ve been receiving from our recruitment clients.


What steps is taking to ensure GDPR compliance by May 25th?

We have a dedicated GDPR team in place, taking great care to ensure complies with all areas of the new legislation, without compromising or interrupting our service, and offering candidates complete flexibility and transparency about how their data is used.


How will GDPR affect my access to’s services?

We do not anticipate that complying with GDPR will have any impact on the services offered by to recruiters.

We are able to process the personal data supplied to us by jobseekeers who register with, as it is in our and their legitimate interest to do so. By registering with, we make it clear to jobseekers that they are actively soliciting contact from prospective employers and recruiters about opportunities which match their fields of interest.

Therefore, we make their information available to recruiters and employers who use to find suitable employees for specific roles they are seeking to fill.


Will CV Search still be the same once GDPR comes into force?

The features and functionality of our CV Search service will remain unchanged once GDPR comes into force in May 2018.

We will, of course, continue to ensure jobseekers using have the ability to control the extent to which their personal data is shared with other recruiters and prospective employers, with contact preference options, including the option to be able to opt in or out of our CV Search service.


Will GDPR affect the number of candidates available through

Whilst we will continue to give registered jobseekers the highest level of control as to how their personal data is used, including contact preference options and the right to erasure, we do not envisage the number of candidates on will change following the introduction of GDPR.

Our services are provided at the request of jobseekers; GDPR is not being introduced to stop candidates using our service and, therefore, finding work.


What is the relationship between and its customers?

For the purposes of GDPR, both and customers using its recruiter services are likely to be data controllers. As such, both organisations are required to comply with their statutory obligations as data controllers, which includes individually capturing the correct legal basis for processing information.


How will be managing consent? will not be using ‘Consent’ as its primary basis for processing user information, as it is not the most appropriate means for us to do so. We will use ‘Legitimate Interests’ as our legal basis and, as such, will notify all registered candidates on about changes to the legislation, as well as our new Privacy Policy and Terms & Conditions.

We recommend anyone reviewing GDPR looks at the guidance provided by the Information Commissioner’s Office (ICO) on the lawful basis for processing, as well as the relevant provisions in the GDPR.


Can we add copy to the bottom of our job advert to gain consent from candidates?

As the GDPR states any consent must be freely given, any such copy on an advert would be insufficient means of consent. In addition, it would not be practical for advertisers to audit or track such consent, so would not conform to the requirements of the legislation.


How long does keep data for?

The accounts of registered candidates and the personal data they contain are only maintained for as long as individuals wish to retain their accounts and are deleted upon request.  Also see: ‘What procedures do we have in place to delete data when required to do so?’


What procedures do we have in place to delete data when required to do so?

We allow our users to request the removal of their data either via the website or via our contact centre. All requests are actioned immediately through a maintained automated process. We will delete all personally identifiable information (PII) from all of our back end systems within 48 hours of the request.


If a candidate removes their details from, what action is required by customers that have downloaded their details?

Because recruiters are acting as data controllers, they should have independently obtained a legal basis for processing candidate information. As such, there is no requirement for us to notify our recruitment clients that a candidate has been deleted from


In which geographic region is our data stored?

All of our data centres are in the European Economic Area (EEA). Whilst we use third parties as part of our technology ecosystem, we ensure they are compliant with all current legislation and that information is subject to security levels governed by the EEA regulations.


How does ensure its data is secure when stored or in transport?

All personal data is transported under secure certificates and is encrypted during transport and at rest.


What is the incident management process in the case of a data breach?

We have a full incident management process which takes into account the requirements of GDPR, including the report of said breach to the data subject, the Data Protection Officer (DPO) and the Information Commissioner’s Office (ICO).


What monitoring and prevention do we have in place against potential attacks?

We have a range of security processes and software in place to protect user information. This includes but is not limited to distributed denial of service (DDoS) and intrusion detection systems (IDS), as well as best practices around data security, data segregation and access controls.


How is access to our data controlled and who has access to our data?

Access to personally identifiable information (PII) data is limited to those who absolutely require it in order to provide the services outlined in our Terms. This is typically limited to system owners and employees of Reed Online Ltd.


What support can be given to deal with a data subject access request?

As we handle any candidate information on behalf of candidates and we work as data controllers in our own right, any subject access request (SAR) would also need to be authorised by the data subject directly.


How will be managing the right to erasure?

Jobseekers have always been provided the means to remove their details from at any time via our website or by contacting us directly. This provision will remain. Also see: ‘What procedures do you have in place to delete data when required to do so?’


What amendments are you proposing to make to any service agreements, terms of engagement or any other data protection agreement arising from the new GDPR?

We will be updating our Terms and Conditions to clarify the relationship between and its clients: the new Terms will be available on the website.


We’ll keep updating this article with responses to the questions our recruitment clients are asking us about GDPR. However, should you have anything specific you would like to discuss, please contact your Account Manager on 0845 241 9293.

Hire the talent to transform your business

Reach active candidates by

signing up to post a job today