HR managers and recruiters are putting their employers at risk of penalties of up to £17.5 million (€20 million) under imminent data protection regulations by failing to destroy sensitive data contained within job applicants’ CVs.

The General Data Protection Regulation (GDPR), which comes into force on 25 May, will apply to all companies that process personal data of European Union citizens.

CVs and application forms often reveal personal data about the subject including their home address, middle names and national insurance number — and sometimes even sensitive information, such as their physical or mental health condition and previous criminal convictions.

And since it’s customary for HR managers to print the CVs of prospective employees prior to interviewing them, they’re risking serious data breaches — and therefore hefty fines — unless they properly destroy the documents afterwards.

This comes after identity fraud, particularly against young people, is reported to have risen by 30% and Facebook finds itself at the centre of a worldwide data breach scandal.

Organisations in breach of GDPR, which includes not having a person’s consent to process their data, can be fined up to 4% of their annual turnover, or €20 million (£17.5 million) — whichever is greater.

In fact, job candidates — and any data subjects — will have six rights under the new legislation: right of access, whereby they can request to be informed about what will be done with their data; right to rectification, meaning they can correct or update any data that’s held on file; and right to erasure, which allows them to have their data removed from a database at any time.

Prospective employees will also have the right to restriction of processing, whereby they can request their data is suspended from being processed in a database, the right to export all their data from files, and the right to object to their data being processed indefinitely.

Jonathan Richardson, managing director at secure shredding specialist Russell Richardson, said: “Ahead of the enforcement of GDPR, and in light of the Cambridge Analytica scandal, many businesses are rightfully focusing on cleaning up their electronic databases to remove the risk of breaches. But it’s equally important that they destroy hard copies of sensitive and personal data — a perfect example of which is printed CVs, which are often cast aside or disposed of insecurely after job interviews.”

Many businesses are beginning to outsource the shredding of confidential and sensitive documents for this reason. Although in-house office shredders are common, they typically use the ‘strip-cut’ method which produces ribbon-like strips of paper. In the wrong hands, waste paper shredded in this way can still be read and reassembled, meaning the data subject could still be at risk of identity fraud.

“Employing a regular shredding service removes this risk and gives businesses of all sizes peace of mind that they’re adhering to the new laws,” Jonathan added. “The size of the fines they’re avoiding by securely destroying confidential information far outweighs the cost of such services.

“And while recruiters often tell unsuccessful candidates: ‘We’ll keep your details on file,’ in future they’d be wise to rephrase this message.”