Data Processing and Consent - GDPR

GDPR is a big topic, but not one to be scared of. The work we’ve undertaken suggests that the clarity it provides makes life simpler in many ways.

The main risks that will need to be managed are the ways in which data is stored, individuals’ records can be identified, exported or deleted and their contact preferences updated and managed. The more you operate a centralised system which brings these elements together, the easier it will be. A good compliant Recruitment and Applicant Tracking System should provide this for you. Making sure data is processed correctly and consent is given and is recorded helps ensure you are on the road to compliancy. 

Data Processing

The big changes GDPR brings in is the use of data. It requires you to maintain records of your ‘data processing’ activities. To process data, GDPR stipulates that you have to identify a lawful basis before you can process personal data. For example, the lawful conditions for processing are as follows;

  • You have the consent of the data subject
  • Processing is necessary for the performance of a contract with the data subject
  • Processing is necessary for compliance with a legal obligation
  • Processing is necessary to protect the vital interests of a data subject or another person
  • Processing is necessary for the performance of a task carried out in the public interest
  • Necessary for the purposes of legitimate interest pursued by the controller or a third party.

There are a few key points to note that you’re processing lawfully: 

  • Review all of your data processing activities; ensure they have a lawful basis for each processing activity
  • Document what personal data you hold, where it came from, and who you share it with
  • Where a legitimate interest is the basis of processing, maintain records of your assessment of that legitimate interest, to show that you properly considered the rights of your data subjects. 


Consent is one of six lawful grounds for processing data -  here are some examples of lawful consent requests

  • Signing a consent statement on a paper form
  • Clicking an opt-in button or link online
  • Choosing technical settings or preference dashboard settings
  • Responding to an email requesting consent
  • Completing optional information for a specific purpose (such as optional fields in a form)
  • Dropping a business card into a box

Consent requests must not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way. It also must be easy to withdraw consent and request that you are no longer contacted. This will mean you have to have simple withdrawal of information mechanisms in place.

Read our previous blog on GDPR here.

To read more about GDPR and its official guidelines visit the ICO here.

[1] Download the recruitment GDPR graphic at