We get it. The GDPR is more than a little confusing – and many employers struggle to make sense of it.
Most of us know roughly what it is: Doing right by your customers, users, employees, and candidates when handling their information.
But what does it mean in practice and how can you make sure you’re GDPR compliant when hiring new people or handling your employees’ data?
This is where things become tricky.
And for a good reason – the GDPR, or the General Data Protection Regulation, is complex. There’s a lot of jargon in there, and it’s not exactly the most concise of documents.
Still, if you have responsibilities that involve data collection – as is very often the case in HR and recruitment – it’s not something you can plead ignorance to.
But fret not; we’re going to break down all those terms and requirements in simple language and provide a comprehensive guide to the GDPR for employers, so that you know exactly what to do with your employees’ and candidates’ data. And not risk a costly lawsuit.
The GDPR (General Data Protection Regulation) is an EU legislation that aims to protect the rights of individuals whose personal data is being collected and processed.
It explains what companies can and can’t do when collecting, storing, and processing data of their users, customers, employees, and job applicants in the European Union and the European Economic Area.
It also outlines EU citizens’ rights when someone collects, stores, and processes their personal data. Employers and recruiters often need to collect personal data, which makes it crucial to stay GDPR compliant if you have employees in the EU.
The GDPR came into force on May 25, 2018, and overhauled many European data privacy laws that had been in place since the 1990s. It is widely considered the world’s strongest set of data protection rules.
It has also informed several other data protection laws, such as the California Consumer Privacy Act.
Since the GDPR is European legislation, it raises a fair question:
The GDPR applies to all countries in the European Union (EU) and the European Economic Area (EEA). It also allows countries to make small changes to suit their own requirements.
This flexibility led the UK to create the Data Protection Act 2018, superseding the previous act from 1998. Although the GDPR is no longer applicable in the UK since the UK left the EU in 2020, the Data Protection Act 2018 still is. It’s often referred to as the UK GDPR.
By now, you’re probably wondering: Does the GDPR still apply to employers in the US and the rest of the world?
In short, yes, but not in all situations.
Let’s break that down.
The EEA GDPR (the original GDPR) applies specifically to the 27 members of the EU and all countries in the EEA (European Economic Area), which include Iceland, Norway, and Liechtenstein.
The GDPR applies to you as an employer:
If your business is based in the EEA, regardless of where you process customer data
If your business is based in the US or another country and if you do both of the following:
Offer goods and services to people in the EEA or hire citizens of any country of the EEA, and
Monitor your website visitors’ online behavior
If you’re based in the UK, follow the UK GDPR guidelines.
If you only sell to customers or have employees in the US (or other countries outside the EEA), then you don’t have to comply with the GDPR. Still, you may need to abide by local regulations. Skip ahead to our breakdown of other countries’ privacy regulations to learn more.
The official GDPR document is huge, with more than 250 pages and 99 individual articles.
We know you’re not going to read that whole thing (and who could blame you?), so let’s break it down into the following five parts and go through the Cliffs Notes version of the GDPR for employers:
Important GDPR definitions and concepts
The 7 key GDPR principles
The 8 GDPR rights for individuals
The 6 lawful bases to process data
Fines for GDPR breaches
Before we dive deeper, it’s important to understand some key terms used in the GDPR:
Users (also referred to as data subjects) are the individuals whose data is collected and processed. In most cases, these are your customers, but for employers, this term also extends to employees and job applicants.
A data controller is a person or legal entity involved in deciding how personal data will be processed. As an entity, this is your company, and as a person, it’s likely to be your chief technology officer (CTO).
A data processor is a person or legal entity who is involved in processing the data on behalf of the data controller. This might be the same business if you’re processing data in-house. Larger organizations often contract third-party suppliers to process data. In this case, your business is still the data controller, but the supplier is the data processor.
Personal data refers to the users’ details you capture. The GDPR specifically defines personal data as being from an “identified or identifiable natural person,” which is someone who can be identified by referring to details like:
Name
Phone number
Personal identification numbers
Date of birth
Address
Online identifiers, like an IP address
Data processing is any operation performed on personal data, including activities like:
Collection
Storage
Organization
Dissemination
Say that five times fast.
Pseudonymization is a way of processing data so that it can’t be attached to a specific user without additional identifiers. Personally identifiable information is replaced with artificial identifiers or pseudonyms to protect users’ anonymity.
The GDPR is underpinned by seven core principles related to collecting and processing personal data:
Lawfulness, fairness, and transparency: This principle is pretty straightforward. As a data controller, you must process your employees’ and candidates’ personal data in a way that is fair, transparent, and compliant with the law.
Purpose limitation: You should only collect personal data for legitimate and specific purposes. That means you can’t collect data just because you can, and you can’t process data for any reason other than what you specify when you collect it.
Data minimization: That the data you collect needs to be relevant, adequate, and limited to the purposes you’ve stated. Basically, you can’t collect data that you don’t need as an employer (or potential employer).
Accuracy: You must ensure personal data is correct and kept up to date where possible. If the data is inaccurate, you must destroy or rectify it.
Storage limitation: You must destroy the data if you no longer need it for the described processing purposes. For example, once you hire a person for a specific position, you must destroy the data of other candidates. An exception can be made if the data is of public interest, if you use it for scientific or historical research, or if you need it for statistical purposes, as long as you protect it adequately.
Integrity and confidentiality: You must have appropriate organizational, technical, and security measures in place to ensure data is secure. Examples include protecting data against unlawful or unauthorized processing and accidental loss, destruction, or damage.
Accountability: This principle states that you are responsible for showing that you comply with the above six principles.
The GDPR also outlines individuals’ specific rights when it comes to their data. It is your responsibility as the data controller to ensure these rights are fulfilled.
You have to tell employees, candidates, and users what data you’re collecting and how you’re processing it via a privacy notice (privacy policy).
The privacy policy must be in plain English. You can’t hide behind technical language. It must be free and easily accessible.
The user must receive this information at the time you collect their data.
You must allow users (i.e. your employees or candidates) to access the data you’ve collected about them.
If requested, you must provide:
The categories of the data being processed
A copy of the actual data
Details about the processing, such as the purpose of processing
When you have collected the data and with whom you’ve shared it
You have to provide this information free of charge and within one month of the request.
Your users have the right to rectify their data if it’s incorrect or incomplete. You must also pass this request along to any third-party processors (unless this is “impossible or disproportionately difficult”).
This must occur without delay, within one month of the user’s request (except under special circumstances), and without charge. However, there are some instances where the rectification request is considered “manifestly unfounded or excessive.” In these cases, you may request a “reasonable charge.”
Users can withdraw their consent for you to use their data and request that you erase it without delay. You must erase the data within one month of receiving the request.
There are some circumstances under which you may refuse this right, such as when:
You must retain the data to comply with a legal obligation – for employers, this might be for tax purposes
The data is necessary for legal defense
The data processing is being carried out in the public interest or for health purposes
The data is being processed for scientific research
The data is necessary to exercise the right of freedom of expression
Under certain conditions, users can request to restrict specific forms of processing of their data. This essentially means that the processing of their data stops, but you don’t erase it.
These conditions include when:
The user contests the data’s accuracy
The user objects to the processing, but your organization is considering whether it has legal grounds to continue processing (such as those mentioned in the above section)
The processing is unlawful, but the user doesn’t request erasure
The data isn’t required, but the user still needs it to establish, exercise, or defend some form of legal claim
If requested, you must provide users’ data (in a machine-readable format) to transfer from one controller to another.
You must carry out the request within one month and free of charge unless the request is “manifestly unfounded or excessive.” In this case, you may be able to charge a “reasonable fee” for the data port.
Your employees and job applicants have a right to object to any form of processing of their data.
They must state a motivation for their objection (unless the data is used for direct marketing purposes), and data processing must halt for the particular processing activities objected to until the objection has been resolved.
Your employees and candidates (and all users in the general sense) have the right not to be subjected to a decision based on automated processing or profiling.
You are allowed to carry out automated decision making if it:
Is needed for contract performance
Is authorized by the law of the applicable EU state
Doesn’t have a legal or similar effect on the user
Is based on the users’ consent
In short, if you need to make automated decisions about data, you’ll need to obtain explicit consent.
To process the data of employees and job applicants, you must be able to meet one or more legal bases for doing so.
Consent: The user has given explicit consent for at least one specific purpose. For example, when a candidate applies for a job.
Contractual obligations: Data processing is necessary for carrying out a contract in which the user is participating. For example, when a new hire signs an employment contract.
Legal obligations: Data processing is necessary to fulfill a legal obligation to which you, as the data controller, are a subject. For example, you might need to collect some data for tax purposes.
Vital interests: Data processing is necessary to protect the vital interests of the user or another person. For example, when you hire an employee, you’ll need some of their personal data to protect their interests.
Public interest: Data processing is carried out in the public interest or contained under the data controller’s official authority.
Legitimate interests: Data processing is necessary for the data controller’s legitimate interests, except where overridden by the rights, interests, and freedoms of the user (particularly when the user is a child). For example, when you sign a contract of employment with an employee.
Officially, there are two tiers of GDPR breaches, with commensurate fines for each:
Less severe: Up to €10m, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher
More severe: Up to €20m, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher
Historical GDPR fines due to non-compliance have reached some eye-watering numbers. These are some of the highest:
Amazon: $785m
Meta (for Instagram): $426m, and another nearly $1bn for other platforms, including Facebook and WhatsApp
Google: $52.6m
H&M: $36.8m
TIM: $29.3m
It pays to be compliant, doesn’t it?
Is your organization in need of a GDPR tune-up?
Follow these nine steps to make sure your business is GDPR compliant:
The GDPR applies to not only data you will collect in the future but the personal information you have already stored.
That means you’ll need to perform an audit of your existing data to document:
What kinds of data you’ve collected in the past, including of past candidates and employees
How you’re processing data
The purposes for which you’re keeping and processing the data
Be prepared to do a bit of a data cull: If there is information you’ve collected that you no longer require, you must erase it.
DPIAs are essentially risk assessment and mitigation activities.
Under the GDPR, you’re required to carry out DPIAs each time you start a new project that is “likely to involve a high risk to other people’s information,” such as implementing a new software platform.
For example, if you’re planning to use a new platform for recruitment, employee management, or performance management, you need to perform a Data Protection Impact Assessment.
That doesn’t mean you need to run DPIAs every time you collect data, but it’s good to assess any risks to the data you’re currently storing.
The GDPR states that a DPIA requires three elements:
A description of the processing operations and purposes, including your legitimate interest
An assessment of whether the processing operations are necessary and proportional to your purposes
An assessment of the risks to the rights and freedoms of individuals whose data you’ll be processing
Whenever you recruit for a new role, you capture applicants’ data as soon as they apply. That makes them the users and you the data controller. Therefore, you have an obligation to protect their privacy.
This obligation means that you need to disclose:
The types of data you’re collecting
The purposes of collection
How you intend to process the data you collect
Your privacy notice is where you communicate all this.
Exactly how to write a privacy notice is outside the scope of this article, but the GDPR provides a great rundown on this process and a free template.
You can also check out TestGorilla’s privacy policy for a real-life example.
Your privacy policy must outline the types of data you collect and for what purposes.
So, ensure that:
You don’t collect unnecessary data in your collection processes (e.g., customer forms)
Users are shown and agree to the privacy policy before you collect any data
You don’t process any data in ways other than those you describe in your policy
It’s likely that your user data is stored across a variety of locations, such as your:
CRM
Pre-employment testing platform (like TestGorilla)
Email marketing platform
HR hub
The best way to protect your user data is to assess the privacy policy of each software tool you currently use or plan to bring on board and ensure it is also compliant with the GDPR. As an EU company operating worldwide, TestGorilla is fully GDPR compliant.
To maintain compliance with GDPR rules, you’ll need to destroy any data you’ve collected once you no longer need it.
That means you can no longer process the data, pull any insights from it, or use it to manage relationships, for example with your talent pool – unless you get users’ explicit consent to stay in touch with them.
Considering the amount of some of the heftier GDPR fines, it’s probably also worth scheduling an annual or bi-annual data cull.
To uphold the GDPR’s principle of transparency, you should inform all users from whom you have collected or will collect data of which legal basis you’re using to process their information.
Chances are you’re not the only person in your organization coming into contact with user data. You are, however, responsible for the actions of everyone on your team.
To protect yourself and your company, it’s a smart idea to train your team on GDPR compliance, including:
What gives your organization the right to collect and process data
Why your business does this (the purposes outlined in your privacy policy)
What the limitations are on data collection and processing
What to do if they think your company might be in breach of the GDPR
One of the best ways to do this is to use our GDPR test to assess your employees’ current knowledge and see which areas need improvement. This will enable you to do targeted training sessions and make sure there are no knowledge gaps across your team.
When hiring for roles in which employees will handle others’ data (be it of clients or other employees), it’s also key to assess GDPR proficiency in candidates. Again, our test is particularly useful for this.
If you do happen to receive a breach notification from GDPR regulators, it’s likely to be a pretty stressful event.
You can make it a little less stressful by outlining how your business will act in such an event. Include details like:
Who is responsible for responding to the notice
How your company will investigate the breach notice
Who is responsible for rectifying the issue
What about other privacy regulations around the world?
Glad you asked.
The GDPR has set off a domino effect across the world that has resulted in the creation of similar regulations aimed at protecting individual rights and digital privacy.
Below, you’ll find a quick summary of the regulations you should be aware of. Keep in mind that you might have to comply with more than one, especially if you have a team of remote employees.
As of this writing, the California Consumer Privacy Act (CCPA) is the only US-based privacy act, though many other states are in the process of developing one following California’s legislation.
The CCPA is less intense than the GDPR and allows Californian consumers to request access to any data a company has on them and a list of the third-party businesses with whom it has shared that data.
We know – this one’s quite a mouthful.
The Protection and Electronic Documents Act (PIPEDA) is now in effect and gives Canadians certain rights regarding their data, including the following:
Generally, organizations must obtain consent to collect and process data
Typically, businesses must disclose the data they collect
Users have the right to access their personal information
Users have the right to challenge data accuracy
Organizations may only use data for the purposes for which they collected it
As you might be able to tell, the PIPEDA shares many similarities with the GDPR.
The Brazilian General Data Protection Law (LGPD) is broadly aligned with the GDPR, outlining the specific rights of users and the obligations of data controllers and processors in Brazil.
The Protection of Personal Information Act (POPIA) is similar to the GDPR, except it also extends to protect legal entities, not just individual people.
POPIA fines are much smaller than potential GDPR fines, but they largely protect the same rights.
New Zealand’s Privacy Act 2020 is a principles-based act, meaning it’s far less detailed and prescriptive than the GDPR.
Its purpose is to protect individual privacy by:
Providing a comprehensive data protection framework
Giving effect to international privacy obligations, standards, and best practices
Japan’s Act on the Protection of Personal Information (APPI) was originally put in place in 2005 but has had many amendments, especially since the initiation of the GDPR in 2018.
Employers need to be mindful of their obligations concerning:
Data access controls
Encryption requirements
Data transfers
Updates to be made to legacy systems
When you assess your GDPR compliance, one of the most important factors to consider is third-party software.
Any HR department’s tech stack nowadays consists of at least a few different applications – and each one of them is likely collecting and processing data.
So, one of the most important steps you can take today is to make sure you’re aware of the destiny of each applicant’s and employee’s data – and check whether all your software tools are GDPR-compliant.
TestGorilla is not only GDPR-compliant, but we also give you the tools to assess your future and existing employees’ knowledge of this key EU regulation with our GDPR & Privacy pre-employment test.
If you need to hire someone for a role where they’ll handle personal data of users in the European Economic Area, you can use this test as your personal cheat sheet to:
Assess their skills and make sure they know how to handle data correctly
Mitigate all unnecessary risks as an employer and make sure you’re always compliant with the GDPR
And if you need a GDPR-compliant skills-assessment platform to streamline your hiring and make it more fair and objective, TestGorilla is your best bet.
Get started with your free plan today or sign up for a free 30-minute live demo to see for yourself why more than 10,000 companies in the EU and across the entire world have chosen TestGorilla to streamline their recruitment.
Why not try TestGorilla for free, and see what happens when you put skills first.
Biweekly updates. No spam. Unsubscribe any time.
Our screening tests identify the best candidates and make your hiring decisions faster, easier, and bias-free.
This handbook provides actionable insights, use cases, data, and tools to help you implement skills-based hiring for optimal success
A comprehensive guide packed with detailed strategies, timelines, and best practices — to help you build a seamless onboarding plan.
This in-depth guide includes tools, metrics, and a step-by-step plan for tracking and boosting your recruitment ROI.
A step-by-step blueprint that will help you maximize the benefits of skills-based hiring from faster time-to-hire to improved employee retention.
With our onboarding email templates, you'll reduce first-day jitters, boost confidence, and create a seamless experience for your new hires.
Get all the essentials of HR in one place! This cheat sheet covers KPIs, roles, talent acquisition, compliance, performance management, and more to boost your HR expertise.
Onboarding employees can be a challenge. This checklist provides detailed best practices broken down by days, weeks, and months after joining.
Track all the critical calculations that contribute to your recruitment process and find out how to optimize them with this cheat sheet.