Kyanite Blue
Sector Guides

Cybersecurity for HR and Recruitment Firms: Protecting Candidate and Employee Data

HR consultancies and recruitment agencies hold some of the most sensitive personal data processed by any professional services firm — CVs, background check results, salary information, employment references, health declarations, and in some cases CRB/DBS check data. Under UK GDPR, special category data (health, disability, criminal conviction data) requires a higher standard of protection. The ICO has taken enforcement action against recruitment firms for insufficient security measures protecting candidate data. The sector faces specific risks around data aggregation, consent management, and the high-volume transmission of personal data.

Recruitment agencies process an average of 11,000 candidate records per year — each a UK GDPR data subject.

GDPR Obligations for HR and Recruitment Firms

HR and recruitment firms operate under strict UK GDPR obligations:

  • Lawful basis for processing — typically consent for candidate data; legitimate interest must be documented and demonstrable
  • Retention limits — candidate CVs should not be retained indefinitely; a defined retention period (typically two years) with documented renewal consent
  • Data subject rights — candidates have rights of access, erasure, and portability; firms must have processes to respond within 30 days
  • Special category data — health data, disability declarations, DBS check data require explicit consent and enhanced security measures
  • International transfers — sending candidate data to overseas clients requires appropriate safeguards

Frequently Asked Questions

How long can HR and recruitment firms retain candidate CVs?

UK GDPR requires personal data to be retained only as long as necessary. For unsuccessful candidates, a retention period of six to twelve months from submission is generally defensible if candidates were informed at submission. For candidates who are placed, retention of records for the duration of the employment plus six years is appropriate for employment law purposes. CVs and personal data should be deleted — not archived — when the retention period expires.

Review your HR data security posture

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Coro

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides