Close-up of a professional video camera setup indoors, capturing high-quality footage.
|

Why Retaining Candidate Data Could Land You in Hot Water

ByPrivacyiQ

Storing CVs for years after rejection? It might be a data protection breach. Here’s what you need to know.

It’s common for recruitment teams to keep CVs “just in case” — but under UK GDPR, this can be unlawful.

The problem: If a candidate wasn’t hired, their data must only be retained if you have a legitimate purpose — like defending against discrimination claims, typically within 6–12 months.

Best practices:

  • Set a clear retention window for recruitment data (e.g. 6 months)
  • Automate deletion of old applicant data
  • Be transparent in your privacy notice

Recruitment is a high-risk area for data protection missteps. Compliance isn’t just about ticking boxes — it’s about fair treatment and legal defensibility.

Similar Posts

Diverse professionals engaged in strategic discussion in a law office setting.
| | |

Who Owns Data Retention in Your Organisation?

ByPrivacyiQ

Is it IT? Legal? HR? Retention needs ownership — or it becomes a shared blind spot. Here’s how to assign responsibility. Without a clear owner, data retention becomes everyone’s responsibility — and no one’s priority. Ownership models that work: Either model can work — but only if: Assigning ownership turns policy into practice. Without it,…

Bushfire in Australia
| |

Retention and Subject Access Requests: What You Don’t Keep Can’t Hurt You

ByPrivacyiQ

Subject access requests are easier (and cheaper) if you delete what you no longer need. Here’s why that’s strategic. Subject access requests (SARs) are rising — and they are expensive. But here’s the secret: the less data you hold, the less you have to search, redact, and disclose. Retention policies don’t just reduce legal risk….

The Right to Erasure (Right to Be Forgotten)
| | |

The Right to Erasure (Right to Be Forgotten)

ByPrivacyiQ

The GDPR gives individuals the right to be forgotten in certain cases. Understand what this means for your company. Article 17 of the UK GDPR gives individuals the right to request the erasure of personal data where: However, this isn’t absolute. You may retain data if you need it for legal claims, compliance, or public…

Side view of contemplating female assistant in casual style standing near shelves and choosing file with documents
|

How Long Is Too Long? Setting Retention Periods for HR Records

ByPrivacyiQ

Unsure how long to keep HR records under UK GDPR? Here’s a breakdown for hiring managers and compliance teams. HR records often sit in systems long after employees leave — exposing firms to unnecessary GDPR risk. UK GDPR requires that personal data be retained only as long as necessary for the purpose it was collected….

Smiling woman holding eyeglasses and clipboard in a contemporary office.

What “No Longer Necessary” Really Means Under GDPR

ByPrivacyiQ

The UK GDPR says don’t keep data longer than needed. But what does that actually mean in practice? UK GDPR Article 5 says personal data must be “kept no longer than is necessary.” But who defines necessary? Interpretation depends on: There’s no universal timeline — only justifiable ones. If your retention lacks clear purpose or…

A woman using her phone at a desk, surrounded by art supplies and a laptop, in a creative workspace.
| |

Data Retention for Ex-Employees: A Hidden Risk

ByPrivacyiQ

Are you keeping leavers’ data too long? Learn what the law says and how to reduce legal exposure. Many organisations store former employee data indefinitely — just in case. But UK GDPR doesn’t allow for “just in case” retention. Key retention timelines to know: After this period, data should be deleted or anonymised. Keeping more…