Recruitment agency GDPR reference checking — documented consent and lawful processing

How GDPR applies to agency reference checking

When a recruitment agency contacts a referee about a candidate, it is processing the referee's personal data — their name, contact details and employment assessment of a third party — under GDPR. The lawful basis for this processing is typically a combination of legitimate interest (the agency's interest in verifying candidate suitability) and the candidate's consent to references being sought. The ICO's guidance on employment references recommends that candidates are informed that references will be sought and their consent obtained before any referee is contacted. Documenting this consent is GDPR best practice and the foundation of a defensible reference process.

RefAssure GDPR compliance — consent first, always

RefAssure is designed with GDPR consent as the first step in every reference. Before any referee is contacted, the candidate receives an email and SMS asking them to consent to reference checking and provide referee details. This consent is timestamped and stored. No referee is ever contacted without documented candidate consent on record. The consent record is included in every PDF reference report — providing auditable evidence that the agency's reference process is GDPR compliant for every reference.

For agencies that have previously taken a more informal approach to candidate consent — assuming verbal agreement during registration or relying on a general consent clause in terms — RefAssure's automatic consent collection provides a structured upgrade to GDPR compliance without requiring any change to existing processes. Consultants simply add the candidate to RefAssure; the consent process happens automatically. From 99p per reference.