Stuart Gentle Publisher at Onrec

Recruitment practices must change to protect the personal data of job candidates, warns cut-e

Employers are risking fines of €20 million if they don’t change their recruitment and development practices to comply with the new General Data Protection Regulation on processing personal data, warns cut-e, the international assessment specialist.

The General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, will strengthen and standardise European laws relating to the use of any ‘personal data’ that is collected from European Union citizens, even if the company concerned is located outside of the EU. Personal data includes an individual’s identity, contact details, social media posts and health information. Employers now need the consent of EU citizens to process their data and individuals have greater control over what companies can do their information. 

“We’ve always taken data protection very seriously and we fully support GDPR’s goal as this will improve trust in the digital economy and provide a more consistent legal framework for data protection,” said Andreas Lohff, Chief Executive Officer of cut-e. “However, many employers are unprepared for the impact that GDPR will have on their recruitment and development practices.

They not only have to implement GDPR’s rules when they internally process the personal data of job candidates and employees, they also have to ensure that they partner with suppliers who can guarantee that they’ve taken the necessary technical and organisational steps to fully comply with this regulation.” 

GDPR gives EU citizens the right to know exactly what information is held about them and it entitles them to have their personal data rectified if it is inaccurate or incomplete. Individuals will also be able to block the processing of their personal data and object to it being used for purposes such as direct marketing or research. 

“The challenge for recruitment and development teams is to understand where GDPR applies - and where it doesn’t - and to act accordingly,” said Andreas Lohff. “This impacts on how you collect, store, use and share assessment data on job candidates and development data on employees. You have to know where you’re vulnerable.” 

cut-e recommends that employers take proactive steps to: review their data collection processes to ensure that the purpose of the data is clear and legally compatible; enhance their internal data processing activities, to ensure personal data is processed lawfully and transparently; review their data transfer practices with subcontractors and service providers; understand how they can use aspects such as data encryption and the automated profiling of individuals for talent analytics purposes; introduce new data documentation measures for auditing, monitoring and evaluation, and design training programmes and resources to ensure employee compliance. 

“Good data handling practices are not just important for confidentiality, they’re also important for transparency and for maintaining an organisation’s reputation,” said Andreas Lohff. “Every employer now needs to demand that their assessment provider can demonstrate accountability and compliance with the GDPR. At cut-e, we have a team of experts involved in data protection, overseen by an external data protection legal specialist, and we’ve reviewed our processes and educated our staff about our expectations and procedures. We’re now advising our clients on all aspects of processing the personal data of EU citizens, so they can avoid the tough fines that will be imposed on those who fail to comply with the regulations.” 

cut-e will host a webinar on GDPR compliance, and the implications for assessing job candidates, on 24 January 2018 at 11.00am CET. Register online for this webinar here:

For further information about compliance and GDPR, please email or visit