Could the GDPR spell the end for small recruitment agencies?

Smaller-scale organisations may struggle to comply with the new data protection laws, says Arran Stewart

Could the GDPR spell the end for small recruitment agencies?

There are approximately 18,500 recruitment companies registered with Companies House in the UK, and around 95 per cent of them have five employees or fewer. It’s very much a market of ‘one-man band’ businesses. 

All of these companies will keep a CRM of candidate data from applicants they have attracted over years of trading, which they keep in a database for their own uses, and they will reach out to these candidates from time to time when a suitable vacancy comes along. Sounds harmless, right? Not according to the GDPR. In fact, without the correct management of this data, accurate opt-ins and further confirmed opt-in by the agency, they could face a fine of 4 per cent of their global revenue every time a data breach happens.

I am all for moving forward and increasing the standards we adhere to; however, small recruitment agencies are simply not prepared for the potential storm that is coming. They don’t have the finances to pay a top GDPR lawyer to come in and change all their processes and, even if they did, those processes are about to become a lot more expensive. 

In order to attract candidates legitimately, they are going to have to spend a lot more money marketing their roles to pull in the applicants they are looking for. Coupled with this, they need to make sure they use trusted providers to deliver candidates – such as job boards – that sit within the confines of the GDPR rules. 

Many small businesses could be forgiven for filing a late VAT return, because running your own enterprise can get busy. But will small recruitment firms be given the same chances with a data breach like a candidate on a CRM that hasn’t been opted in recently enough? I am unsure. 

The outcome from this, I believe, will be a free-for-all of data breaches within the recruitment industry – some cases will stick and others will slip through the net. Based on my knowledge and experience, I can only talk about the impact of the GDPR in the UK; however, I think these issues will also be reflected in the EU recruitment industry. Operating a recruitment company anywhere in the EU will soon become a far more difficult operation than it was before. 

So if you were to ask me if I think the GDPR is a good thing, I would answer yes – it is a giant step toward improving the day-to-day operations of businesses in relation to data. It’s something that, as consumers, we will all benefit from and, because of that, I am certainly in favour of it. However, I feel that its high standards of data protection will pose difficulties for the recruitment industry and slightly unfair challenges for the small recruitment agency, compared to the much larger companies.

If you couple together technology shifts and the GDPR legislation, I feel the number of companies I quoted at the start will begin to drastically reduce and the consolidation of the more developed agencies will take precedence. 

Arran Stewart is co-owner of