Employee referral programs & GDPR

Time to comply


 In the era of the “war for talent” employee referrals represent a measurable competitive advantage: they speed up the search for candidates and reduce the costs of hiring new employees. Referred candidates are also appointed successfully more often and provide a better cultural fit. Now an early death threatens the beautiful new world of employee referrals, as most companies are ill-prepared for the European General Data Protection Regulation (GDPR). 

Each employee referral involves the processing of personal data. Often employees simply pass on a résumé of a potential candidate to the HR department. In doing so, names, addresses and personal details from a person’s professional and private life, references and much more information are circulated and processed electronically within the organization – a very pragmatic approach, unfortunately anything but in accordance with the data protection law. And European legislation has become stricter in this respect since 25 May with the GDPR. 


One of the GDPR provisions with the most consequences means that explicit consent must be obtained in advance from each person whose data is to be stored and processed. And this consent must be documented. But the tools and databases of manual, analogue referral management – oftentimes Excel sheets that serve as a basis for the HR department – hardly work to obtain the agreement of the person referred. Usually the consent was at best implicit, which would not satisfy the documentation obligations under GDPR. Managing referrals manually, it is also difficult to apply the GDPR principle of limiting the amount of data that is processed and stored. This central provision of the new legislation means that storage of data of the person concerned is permitted only for so long as is necessary for the purpose of the processing.  

The traditional analogue employee referral program has thus come to an end. The inherent legal and financial risks for companies and recruiters are too big, since it is not only the requirements that are increasing but also the magnitude of the potential sanctions: Instead of mere warnings and relatively small financial penalties, the new European data protection framework provides for penalties that could threaten a company’s existence. Up to 20 million Euro – or four percent of total worldwide annual turnover in the previous business year – are at stake. 


Despite the legal turbulences, companies will not and do not want to give up employee referrals in times of skills shortage and war for talent. The good news: they shouldn’t. And they don’t have to. Instead, they should pursue a professional and digital approach. Nowadays there are intuitive, cloud-based tools (such as Talentry) that digitize analogue employee referral programs, ready for immediate use and GDPR-compliant in every respect. 

Talentry‘s referral process ensures that the necessary consent to the processing of their personal data is given by the candidates using a checkbox, and it is documented and recorded in an auditable way. Non-active records – a breach of the GDPR principle of restricting data storage – do not occur. Once data is no longer needed, it is erased according to a transparent and automatic system. 

That said, the new EU data protection regulation is actually good news for HR and recruiting. It triggers greater professionalization of employee referral programs and drives further digitization of recruiting processes.  

Would you like to learn more about why analogue employee referral programs no longer comply with data privacy regulations – and how a digital employee referral platform can help?