• Ensure transparency with users about how their data is processed.
• Securely process and store personal and sensitive data.
• Minimize risks of data breaches or non-compliance.
• Provide clear governance, accountability, and user rights under UK GDPR and associated legislation.

2. Scope and Context

• Recruiters: Personal and business details, contact information.
• Job Seekers: Full names, addresses, contact information, employment history, RTW status, and scanned/photographed copies of identity documents (e.g., passports or ID cards).

• Contact Information (names, phone numbers, email addresses, physical addresses)
• Professional Data (work history, educational background)
• Sensitive Data (RTW information and government-issued identity documents)

• Collection: Users input their data directly during registration and job application processes.
• Storage: Data is stored in secure databases hosted in compliant data centres.
• Processing: Includes profile creation, job matching, and communication between recruiters and job seekers.
• Sharing: Certain data may be shared with third-party services (e.g., payment processors or background check providers) subject to Data Processing Agreements (DPAs) and with explicit user consent where required.
• Retention: Data retention periods should be defined in the privacy policy and in line with regulatory requirements (e.g., removal of inactive accounts after a set period).

3. Necessity and Proportionality

• The data collected is directly related to the recruitment process and is essential for verifying candidate eligibility (RTW, identity) and facilitating the job matching process.

• Collect only the essential data needed for recruitment and verification purposes.
• Implement measures to review and delete data that is no longer necessary.

• Ensure explicit consent is obtained where required (particularly for processing sensitive data).
• Provide clear privacy notices and policies that articulate how and why data is used.

4. Risk Assessment

• Unauthorized Access: Risk of data breaches leading to exposure of sensitive information
• Data Loss: Risk of accidental deletion or system failures compromising data integrity.
• Inappropriate Use: Risk of data being used for purposes beyond recruitment, which can result in regulatory non-compliance.
• Insufficient Consent/Transparency: Risk that data subjects are not adequately informed about how their sensitive data is used or shared.

5. Measures to Mitigate Risks

• Encryption: Encrypt sensitive data both in transit (using TLS/SSL) and at rest.
• Access Controls: Employ role-based access controls (RBAC) to ensure only authorized personnel can access sensitive information.
• Regular Security Audits: Conduct regular vulnerability assessments and penetration testing.
• Secure Hosting: Host data in ISO-certified data centers and ensure compliance with relevant standards.

• Policies and Training: Develop comprehensive data protection policies and train staff on GDPR compliance and data handling procedures.
• Data Processing Agreements (DPAs): Ensure all third-party processors adhere to strict data protection standards through formal agreements.
• Incident Response Plan: Implement a clear incident response plan to promptly address and mitigate any data breaches or security incidents.

• Regular Data Reviews: Periodically review stored data to ensure compliance with the data minimization principle
• User Rights: Provide users with easy access to manage their data, including options to correct, export, or delete their information.
• Privacy by Design: Integrate privacy considerations into system design from the outset.

6. Residual Risk and Approval

Despite the controls in place, some residual risks remain (e.g., sophisticated cyber-attacks). These will be monitored continuously, and controls will be updated accordingly.

Data Protection Officer (DPO): Richard Walker

Senior Management: Jamie Walsh, Richard NG-Zeederberg & Craig Lilly

Date: 16/04/2025

7. Ongoing Review and Monitoring

• Periodic Reviews: Schedule regular reviews of the DPIA (e.g., annually or when significant changes occur in processing activities).
• Monitoring: Establish continuous monitoring of implemented measures and update the risk assessment as needed
• Documentation: Keep detailed records of any changes, incidents, and reviews to demonstrate ongoing compliance.

8. Conclusion

This DPIA provides a structured approach to identifying, assessing, and mitigating the privacy risks associated with an online recruitment platform. By implementing the outlined technical, organisational, and procedural measures, we aim to ensure that processing is secure, transparent, and compliant with UK GDPR.