A guide to the GDPR for employers: How to be GDPR compliant

We get it. The GDPR is more than a little confusing – and many employers struggle to make sense of it. 

Most of us know roughly what it is: Doing right by your customers, users, employees, and candidates when handling their information. 

But what does it mean in practice and how can you make sure you’re GDPR compliant when hiring new people or handling your employees’ data? 

This is where things become tricky. 

And for a good reason – the GDPR, or the General Data Protection Regulation, is complex. There’s a lot of jargon in there, and it’s not exactly the most concise of documents. 

Still, if you have responsibilities that involve data collection – as is very often the case in HR and recruitment – it’s not something you can plead ignorance to.

But fret not; we’re going to break down all those terms and requirements in simple language and provide a comprehensive guide to the GDPR for employers, so that you know exactly what to do with your employees’ and candidates’ data. And not risk a costly lawsuit.

What is the GDPR – and why should employers care? 

The GDPR (General Data Protection Regulation) is an EU legislation that aims to protect the rights of individuals whose personal data is being collected and processed.

It explains what companies can and can’t do when collecting, storing, and processing data of their users, customers, employees, and job applicants in the European Union and the European Economic Area. 

It also outlines EU citizens’ rights when someone collects, stores, and processes their personal data. Employers and recruiters often need to collect personal data, which makes it crucial to stay GDPR compliant if you have employees in the EU. 

The GDPR came into force on May 25, 2018, and overhauled many European data privacy laws that had been in place since the 1990s. It is widely considered the world’s strongest set of data protection rules. 

It has also informed several other data protection laws, such as the California Consumer Privacy Act.

Since the GDPR is European legislation, it raises a fair question:

Where does the GDPR apply? 

The GDPR applies to all countries in the European Union (EU) and the European Economic Area (EEA). It also allows countries to make small changes to suit their own requirements. 

This flexibility led the UK to create the Data Protection Act 2018, superseding the previous act from 1998. Although the GDPR is no longer applicable in the UK since the UK left the EU in 2020, the Data Protection Act 2018 still is. It’s often referred to as the UK GDPR.

By now, you’re probably wondering: Does the GDPR still apply to employers in the US and the rest of the world? 

In short, yes, but not in all situations.

Let’s break that down.

The EEA GDPR (the original GDPR) applies specifically to the 27 members of the EU and all countries in the EEA (European Economic Area), which include Iceland, Norway, and Liechtenstein.

The GDPR applies to you as an employer: 

• If your business is based in the EEA, regardless of where you process customer data

• If your business is based in the US or another country and if you do both of the following: 

1. Offer goods and services to people in the EEA or hire citizens of any country of the EEA, and

2. Monitor your website visitors’ online behavior

If you’re based in the UK, follow the UK GDPR guidelines.

If you only sell to customers or have employees in the US (or other countries outside the EEA), then you don’t have to comply with the GDPR. Still, you may need to abide by local regulations. Skip ahead to our breakdown of other countries’ privacy regulations to learn more.

Understanding the GDPR for employers

The official GDPR document is huge, with more than 250 pages and 99 individual articles.

We know you’re not going to read that whole thing (and who could blame you?), so let’s break it down into the following five parts and go through the Cliffs Notes version of the GDPR for employers: 

1. Important GDPR definitions and concepts

2. The 7 key GDPR principles

3. The 8 GDPR rights for individuals

4. The 6 lawful bases to process data

5. Fines for GDPR breaches

Important GDPR definitions and concepts

Before we dive deeper, it’s important to understand some key terms used in the GDPR:

User

Users (also referred to as data subjects) are the individuals whose data is collected and processed. In most cases, these are your customers, but for employers, this term also extends to employees and job applicants. 

Data controller

A data controller is a person or legal entity involved in deciding how personal data will be processed. As an entity, this is your company, and as a person, it’s likely to be your chief technology officer (CTO).

Data processor

A data processor is a person or legal entity who is involved in processing the data on behalf of the data controller. This might be the same business if you’re processing data in-house. Larger organizations often contract third-party suppliers to process data. In this case, your business is still the data controller, but the supplier is the data processor.

Personal data

Personal data refers to the users’ details you capture. The GDPR specifically defines personal data as being from an “identified or identifiable natural person,” which is someone who can be identified by referring to details like:

• Name

• Phone number

• Personal identification numbers

• Date of birth

• Address

• Online identifiers, like an IP address

Processing

Data processing is any operation performed on personal data, including activities like:

• Collection

• Storage 

• Organization

• Dissemination 

Pseudonymization 

Say that five times fast.

Pseudonymization is a way of processing data so that it can’t be attached to a specific user without additional identifiers. Personally identifiable information is replaced with artificial identifiers or pseudonyms to protect users’ anonymity. 

The 7 key GDPR principles for employers

The GDPR is underpinned by seven core principles related to collecting and processing personal data: 

1. Lawfulness, fairness, and transparency: This principle is pretty straightforward. As a data controller, you must process your employees’ and candidates’ personal data in a way that is fair, transparent, and compliant with the law.

2. Purpose limitation: You should only collect personal data for legitimate and specific purposes. That means you can’t collect data just because you can, and you can’t process data for any reason other than what you specify when you collect it.

3. Data minimization: That the data you collect needs to be relevant, adequate, and limited to the purposes you’ve stated. Basically, you can’t collect data that you don’t need as an employer (or potential employer).

4. Accuracy: You must ensure personal data is correct and kept up to date where possible. If the data is inaccurate, you must destroy or rectify it.

5. Storage limitation: You must destroy the data if you no longer need it for the described processing purposes. For example, once you hire a person for a specific position, you must destroy the data of other candidates. An exception can be made if the data is of public interest, if you use it for scientific or historical research, or if you need it for statistical purposes, as long as you protect it adequately. 

6. Integrity and confidentiality: You must have appropriate organizational, technical, and security measures in place to ensure data is secure. Examples include protecting data against unlawful or unauthorized processing and accidental loss, destruction, or damage.

7. Accountability: This principle states that you are responsible for showing that you comply with the above six principles.

The 8 GDPR rights for individuals

The GDPR also outlines individuals’ specific rights when it comes to their data. It is your responsibility as the data controller to ensure these rights are fulfilled.

1. The right to be informed 

You have to tell employees, candidates, and users what data you’re collecting and how you’re processing it via a privacy notice (privacy policy).

The privacy policy must be in plain English. You can’t hide behind technical language. It must be free and easily accessible.

The user must receive this information at the time you collect their data.

2. The right of access 

You must allow users (i.e. your employees or candidates) to access the data you’ve collected about them.

If requested, you must provide:

• The categories of the data being processed

• A copy of the actual data

• Details about the processing, such as the purpose of processing

• When you have collected the data and with whom you’ve shared it

You have to provide this information free of charge and within one month of the request.

3. The right to rectification 

Your users have the right to rectify their data if it’s incorrect or incomplete. You must also pass this request along to any third-party processors (unless this is “impossible or disproportionately difficult”).

This must occur without delay, within one month of the user’s request (except under special circumstances), and without charge. However, there are some instances where the rectification request is considered “manifestly unfounded or excessive.” In these cases, you may request a “reasonable charge.”

4. The right to erasure 

Users can withdraw their consent for you to use their data and request that you erase it without delay. You must erase the data within one month of receiving the request.

There are some circumstances under which you may refuse this right, such as when:

• You must retain the data to comply with a legal obligation – for employers, this might be for tax purposes

• The data is necessary for legal defense

• The data processing is being carried out in the public interest or for health purposes

• The data is being processed for scientific research

• The data is necessary to exercise the right of freedom of expression

5. The right to restrict processing 

Under certain conditions, users can request to restrict specific forms of processing of their data. This essentially means that the processing of their data stops, but you don’t erase it.

These conditions include when:

• The user contests the data’s accuracy

• The user objects to the processing, but your organization is considering whether it has legal grounds to continue processing (such as those mentioned in the above section)

• The processing is unlawful, but the user doesn’t request erasure

• The data isn’t required, but the user still needs it to establish, exercise, or defend some form of legal claim

6. The right to data portability 

If requested, you must provide users’ data (in a machine-readable format) to transfer from one controller to another.

You must carry out the request within one month and free of charge unless the request is “manifestly unfounded or excessive.” In this case, you may be able to charge a “reasonable fee” for the data port.

7. The right to object 

Your employees and job applicants have a right to object to any form of processing of their data.

They must state a motivation for their objection (unless the data is used for direct marketing purposes), and data processing must halt for the particular processing activities objected to until the objection has been resolved.

8. Rights in relation to automated decision-making and profiling 

Your employees and candidates (and all users in the general sense) have the right not to be subjected to a decision based on automated processing or profiling.

You are allowed to carry out automated decision making if it:

• Is needed for contract performance

• Is authorized by the law of the applicable EU state

• Doesn’t have a legal or similar effect on the user

• Is based on the users’ consent

In short, if you need to make automated decisions about data, you’ll need to obtain explicit consent.

The 6 lawful bases to process data (for employment purposes)

To process the data of employees and job applicants, you must be able to meet one or more legal bases for doing so.

1. Consent: The user has given explicit consent for at least one specific purpose. For example, when a candidate applies for a job.

2. Contractual obligations: Data processing is necessary for carrying out a contract in which the user is participating. For example, when a new hire signs an employment contract.

3. Legal obligations: Data processing is necessary to fulfill a legal obligation to which you, as the data controller, are a subject. For example, you might need to collect some data for tax purposes.

4. Vital interests: Data processing is necessary to protect the vital interests of the user or another person. For example, when you hire an employee, you’ll need some of their personal data to protect their interests. 

5. Public interest: Data processing is carried out in the public interest or contained under the data controller’s official authority. 

6. Legitimate interests: Data processing is necessary for the data controller’s legitimate interests, except where overridden by the rights, interests, and freedoms of the user (particularly when the user is a child). For example, when you sign a contract of employment with an employee. 

Fines for GDPR breaches 

Officially, there are two tiers of GDPR breaches, with commensurate fines for each:

1. Less severe: Up to €10m, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher

2. More severe: Up to €20m, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher

Historical GDPR fines due to non-compliance have reached some eye-watering numbers. These are some of the highest: 

• Amazon: $785m

• Meta (for Instagram): $426m, and another nearly $1bn for other platforms, including Facebook and WhatsApp

• Google: $52.6m

• H&M: $36.8m

• TIM: $29.3m

It pays to be compliant, doesn’t it?

How to be GDPR compliant as an employer: 9 best practices

Is your organization in need of a GDPR tune-up?

Follow these nine steps to make sure your business is GDPR compliant: 

1. Perform a data audit to map your recruitment and employee data 

The GDPR applies to not only data you will collect in the future but the personal information you have already stored.

That means you’ll need to perform an audit of your existing data to document:

• What kinds of data you’ve collected in the past, including of past candidates and employees

• How you’re processing data

• The purposes for which you’re keeping and processing the data

Be prepared to do a bit of a data cull: If there is information you’ve collected that you no longer require, you must erase it.

2. Run Data Protection Impact Assessments (DPIAs)

DPIAs are essentially risk assessment and mitigation activities.

Under the GDPR, you’re required to carry out DPIAs each time you start a new project that is “likely to involve a high risk to other people’s information,” such as implementing a new software platform. 

For example, if you’re planning to use a new platform for recruitment, employee management, or performance management, you need to perform a Data Protection Impact Assessment.

That doesn’t mean you need to run DPIAs every time you collect data, but it’s good to assess any risks to the data you’re currently storing.

The GDPR states that a DPIA requires three elements:

1. A description of the processing operations and purposes, including your legitimate interest

2. An assessment of whether the processing operations are necessary and proportional to your purposes

3. An assessment of the risks to the rights and freedoms of individuals whose data you’ll be processing

3. Update your privacy notices for recruiting and hiring

Whenever you recruit for a new role, you capture applicants’ data as soon as they apply. That makes them the users and you the data controller. Therefore, you have an obligation to protect their privacy.

This obligation means that you need to disclose: 

• The types of data you’re collecting

• The purposes of collection

• How you intend to process the data you collect

Your privacy notice is where you communicate all this.

Exactly how to write a privacy notice is outside the scope of this article, but the GDPR provides a great rundown on this process and a free template.

You can also check out TestGorilla’s privacy policy for a real-life example.

4. Plan to collect the minimum amount of information, get consent, and use it fairly

Your privacy policy must outline the types of data you collect and for what purposes.

So, ensure that:

• You don’t collect unnecessary data in your collection processes (e.g., customer forms)

• Users are shown and agree to the privacy policy before you collect any data

• You don’t process any data in ways other than those you describe in your policy 

5. Protect all personal data with advanced security systems 

It’s likely that your user data is stored across a variety of locations, such as your:

• CRM

• Pre-employment testing platform (like TestGorilla)

• Email marketing platform

• HR hub

• Applicant tracking system (ATS)

The best way to protect your user data is to assess the privacy policy of each software tool you currently use or plan to bring on board and ensure it is also compliant with the GDPR. As an EU company operating worldwide, TestGorilla is fully GDPR compliant.

6. Get rid of personal data once you don’t need it anymore

To maintain compliance with GDPR rules, you’ll need to destroy any data you’ve collected once you no longer need it.

That means you can no longer process the data, pull any insights from it, or use it to manage relationships, for example with your talent pool – unless you get users’ explicit consent to stay in touch with them. 

Considering the amount of some of the heftier GDPR fines, it’s probably also worth scheduling an annual or bi-annual data cull.

7. Inform employees and candidates of the legal basis you’re using to process data

To uphold the GDPR’s principle of transparency, you should inform all users from whom you have collected or will collect data of which legal basis you’re using to process their information.

8. Train your staff on GDPR compliance 

Chances are you’re not the only person in your organization coming into contact with user data. You are, however, responsible for the actions of everyone on your team.

To protect yourself and your company, it’s a smart idea to train your team on GDPR compliance, including:

• What gives your organization the right to collect and process data

• Why your business does this (the purposes outlined in your privacy policy)

• What the limitations are on data collection and processing

• What to do if they think your company might be in breach of the GDPR

One of the best ways to do this is to use our GDPR test to assess your employees’ current knowledge and see which areas need improvement. This will enable you to do targeted training sessions and make sure there are no knowledge gaps across your team. 

When hiring for roles in which employees will handle others’ data (be it of clients or other employees), it’s also key to assess GDPR proficiency in candidates. Again, our test is particularly useful for this. 

9. Put a plan in place for data breach notifications

If you do happen to receive a breach notification from GDPR regulators, it’s likely to be a pretty stressful event.

You can make it a little less stressful by outlining how your business will act in such an event. Include details like:

• Who is responsible for responding to the notice

• How your company will investigate the breach notice

• Who is responsible for rectifying the issue

Other countries’ privacy regulations for employers

What about other privacy regulations around the world? 

Glad you asked.

The GDPR has set off a domino effect across the world that has resulted in the creation of similar regulations aimed at protecting individual rights and digital privacy.

Below, you’ll find a quick summary of the regulations you should be aware of. Keep in mind that you might have to comply with more than one, especially if you have a team of remote employees.

The California Consumer Privacy Act (CCPA) 

As of this writing, the California Consumer Privacy Act (CCPA) is the only US-based privacy act, though many other states are in the process of developing one following California’s legislation.

The CCPA is less intense than the GDPR and allows Californian consumers to request access to any data a company has on them and a list of the third-party businesses with whom it has shared that data.

Canada’s Protection and Electronic Documents Act (PIPEDA)

We know – this one’s quite a mouthful.

The Protection and Electronic Documents Act (PIPEDA) is now in effect and gives Canadians certain rights regarding their data, including the following:

• Generally, organizations must obtain consent to collect and process data

• Typically, businesses must disclose the data they collect

• Users have the right to access their personal information

• Users have the right to challenge data accuracy

• Organizations may only use data for the purposes for which they collected it

As you might be able to tell, the PIPEDA shares many similarities with the GDPR.

The Brazilian General Data Protection Law (LGPD) 

The Brazilian General Data Protection Law (LGPD) is broadly aligned with the GDPR, outlining the specific rights of users and the obligations of data controllers and processors in Brazil.

South Africa’s Protection of Personal Information Act (POPIA) 

The Protection of Personal Information Act (POPIA) is similar to the GDPR, except it also extends to protect legal entities, not just individual people.

POPIA fines are much smaller than potential GDPR fines, but they largely protect the same rights.

New Zealand’s Privacy Act 2020 

New Zealand’s Privacy Act 2020 is a principles-based act, meaning it’s far less detailed and prescriptive than the GDPR.

Its purpose is to protect individual privacy by:

• Providing a comprehensive data protection framework

• Giving effect to international privacy obligations, standards, and best practices

Japan’s Act on the Protection of Personal Information (APPI) 

Japan’s Act on the Protection of Personal Information (APPI) was originally put in place in 2005 but has had many amendments, especially since the initiation of the GDPR in 2018.

Employers need to be mindful of their obligations concerning:

• Data access controls

• Encryption requirements

• Data transfers 

• Updates to be made to legacy systems 

Make sure you’re GDPR compliant as an employer by using the right software

When you assess your GDPR compliance, one of the most important factors to consider is third-party software. 

Any HR department’s tech stack nowadays consists of at least a few different applications – and each one of them is likely collecting and processing data. 

So, one of the most important steps you can take today is to make sure you’re aware of the destiny of each applicant’s and employee’s data – and check whether all your software tools are GDPR-compliant. 

TestGorilla is not only GDPR-compliant, but we also give you the tools to assess your future and existing employees’ knowledge of this key EU regulation with our GDPR & Privacy pre-employment test. 

If you need to hire someone for a role where they’ll handle personal data of users in the European Economic Area, you can use this test as your personal cheat sheet to: 

• Assess their skills and make sure they know how to handle data correctly

• Mitigate all unnecessary risks as an employer and make sure you’re always compliant with the GDPR

And if you need a GDPR-compliant skills-assessment platform to streamline your hiring and make it more fair and objective, TestGorilla is your best bet. 

Get started with your free plan today or sign up for a free 30-minute live demo to see for yourself why more than 10,000 companies in the EU and across the entire world have chosen TestGorilla to streamline their recruitment.