Posted by Conor ● 16 March 2018

How will GDPR affect student recruitment?

5 min read

No doubt you’ve heard the words ‘GDPR’ a lot in the last few months.

To help you prepare for it, we’ve pulled together some insights from the team to give you the lowdown on GDPR and its impact in the student recruitment market.

What is GDPR?

The General Data Protection Regulation (GDPR) is an important piece of legislation that is designed to strengthen and unify existing data protection laws for all individuals within the European Union. The regulation will become effective and enforceable on the 25th May 2018.

The new rules include:

  • Minimising the collection of personal data unless you actually need it
  • Deleting personal data that’s no longer necessary to your business
  • Restricting access to those who do not need to see the data you have collected
  • Ensuring that data is kept secure through its entire lifecycle within your company

Ultimately, GDPR gives users more say over what your company can do with their data. This added layer of protection and control is especially important in today’s increasingly online society.

Though this might all seem onerous at first, getting ahead of the game will give you a competitive advantage in the long run.

You can find out more info from the ICO on GDPR here.

How will GDPR impact us in student recruitment?

Any organisation who captures data will be affected by GDPR, so collecting student data also falls into this. Remember, the regulations apply to historical data, as well as any new data collected in the future.

Forward-thinking employers have been collecting student data for a few years now, but now have to be more prudent with how they handle it.

In 2018, more and more employers are adopting a data-led approach to recruiting students. Students have changed - the marketing and attraction strategies that worked on Millenials are not nearly as effective in engaging Generation Z.

We see the Early Talent Pipeline (ETP), a funnel honed for the early talent space as the future of student recruitment. The ETP gives employers the ability to track and nurture candidates so that they can the analyse the data, invest in the most effective attraction activities and maximise their ROI.

This is where the market is moving towards and is why GDPR will have such a significant impact -  it’s a strategy that is underpinned by data.

Find out how you can build and nurture your own Early Talent Pipeline to improve your student recruitment strategy. 

Why do you need to be compliant?

As an organisation that captures students’ data digitally or out on campus when you meet students at a careers fair or presentation, it is essential to plan your approach to GDPR compliance now. If you own data about people, you are responsible for ensuring that everything from how it was collected, to how it is stored is GDPR compliant.

Whilst getting ahead of the game will prove to be beneficial in the long run, being non-compliant (or worse, having your security breached) can result in huge fines, topping out at €20 million or 4% of annual global turnover – whichever is higher.

Besides the financial penalties, organisations need to conform to the new regulations because they’re more in line with what Generation Z accept - personalised, persistent and permission-based communications. Students are also more conscious of their data privacy, and no longer tolerate content that is spam or irrelevant to them - it doesn’t reflect well on a brand.

Failure to comply with GDPR may in turn see students turned off from your attraction strategies.


So how do you become GDPR compliant?

As we edge ever closer to May 25th and the introduction of GDPR, there are a few steps you can take to help you prepare, and ensure you are ready come May.

Make everyone in your company aware of it

Is everyone in your company aware of GDPR, and how it will affect your business? It’s not too late to educate them.

  • Share this blog with them. It’s a five minute read, and will bring them up to speed.
  • Organise a workshop, or short insight session.
  • Appoint someone in your team as the GDPR specialist to ensure everyone is briefed and ready for the changes.
  • Put reminders in every employee’s work calendar a month, fortnight and week before May 25th.


From May 25th, in any interaction where data is being collected, clear consent must be given by the student in terms of opting-in to any future communications via email or SMS.

This might seem counterintuitive; a student is giving you their data, why wouldn’t they want to hear from you later down the line? However, these are the rules, so you should review how you’re managing consent and the entire opt-in process.

How can we manage the opt-in process?

This can be done through a clearly labelled checkbox at the bottom of your forms, which is unticked by default. The text accompanying the checkbox needs to be clear to understand and unambiguous - avoid double negatives like “I don’t not want to not miss out on emails from Client X about future opportunities”. Silence or pre-ticked checkboxes won’t count as consent under the GDPR.

When collecting data through RMP Connect, we’ll ensure you’re set up appropriately with opt-in checkboxes at the bottom of all your data collection forms, with students who opt-out being unable to be contacted from that point onwards.

Students should have access to their data, and then be able to delete it

You need to be able to allow students to edit their preferences.

The GDPR gives anyone who has their data captured the rights to have access to it, to edit it, and to have it deleted. Whilst individuals have long held the rights to access their own personal data, amend incorrect information and unsubscribe from email communications, the right to be forgotten is a new inclusion as part of the GDPR.

Any student within an RMP Connect Talent Pool can retrospectively log into our Student Preference Centre to amend their data and their opt-in preferences. They can also choose to delete themselves.

Know what data you're holding, and limit sensitive information

Don’t hold information you don’t need! Think to yourself, why do we need that data? Do you need it for targeting, communicating or reporting? If not, get rid.

In any case, it’s advantageous to your company to delete data that is not is no longer being used, especially if it sensitive information. Imagine if you were hacked, you’ll have to notify all affected parties that there’s been a breach. Students will question why you were holding their sensitive information in the first place, and again, it won’t look good on your brand.

Pick a reliable solution to house your data, preferably one that has been PEN tested and is secure. A penetration test (PEN test for short) is an authorised attack on a computer system that is performed to evaluate any vulnerabilities in the system.

In addition, you need to be able to justify why you’re holding sensitive information, so capturing fields such as ethnicity aren’t recommended.

RMP Connect was PEN tested by Cyberis in November 2017. We're proud to announce no critical or high priority issues were found, two moderate issues were resolved in a matter of hours and none of the low priority issues posed a significant risk to RMP Connect.

Conclusion: Adapt and thrive

So how will GDPR affect student recruitment? It’s simple, organisations will now have to be smarter with how they capture, store and use data.

Be mindful of student preferences around communications; only contact students that have opted-in and want to be contacted by you.

The introduction of GDPR is not a case of adapt and survive. Organisations have an opportunity to use the new regulations to their advantage, an opportunity to adapt and thrive.

Let GDPR help you pull together a more Generation Z appropriate strategy for your early talent recruitment.

If you want to learn more about our GDPR compliant solution, please visit RMP Connect.

Topics: Industry Insights, RMP News