Learn more about one of the biggest issues in HR technology today and how Hollaroo can help you meet the challenge

The business world is talking about the importance of the General Data Protection Regulation (or the GDPR), but few companies really understand the implications of non-compliance. We believe it's our role to help educate organisations about the actions they need to take to ensure they are GDPR compliant.

Here we cover the specific case of employee referrals which is complex because we are dealing with three parties; the organisation, the referring person and the referred person. It is also a process which has often been managed on a rather ad-hoc basis.

Typical employee referral schemes

Employee referral schemes are consistently recognised as one of the best sources of hire but are often run in a rather haphazard manner by organisations. There are two processed that need to be managed; 1) promotion of the secheme to ensure employees are always involved and 2) tracking and processing of referrals.

From a GDPR perspective, promotion of the scheme will be covered by the employee-employer relationship.Tracking and processing of referrals, however, brings a third, external, person into the mix and, therefore, adds new responsibilities. Although there is a huge range of methods used these can be typically put into one of four categories:

Manual Process

The most common process where an employee obtains a person’s CV somehow and either emails or gives a paper copy to someone in HR or their line manager. This is then recorded so, if that person is hired, the referrer can be recognised. Not only is this an insecure way of handling someone's data but people get lost in the process and there is no way to resolve disputes where, for example, two people refer the same person.

Email job to a friend

Typically offered by your ATS or other job publishing system so an employee can send a link to a job to someone else. This is sometimes a one-off process, where nothing is stored, or the process is tracked so you can see who responds to the email. If the process is not tracked you then rely on the applicant to identify the referring person as part of the selection process, which is open to abuse and dispute.

Upload CV or link to person

With a dedicated system (or as part of another recruitment system) an employee can upload another person’s CV so it becomes visble to recruiters for marketing purposes. Another approach is to upload links to individuals (for example, Linkedin connections). It should be noted that, with GDPR, even links are considered personal information. Although this now tracks a referred person from the point of introduction there is no element of consent before marketing activities commence.


With Hollaroo Refer, employees identify potential talent and invite them to your private network. The person decides whether to join, has visibility and control over their data and decides how to interact with the organisation. The scheme promotion process is entirely automated and, because it is not tied to live vacancies, ensures a constant stream of high-quality candidates.

How these methods are affected by GDPR

As you will recall from our introduction to the GDPR, the regulations cover three key principles; privacy by design, lawful processing and individual rights.

Privacy by design

In all cases (with the possible exception of "email a friend" depending on how that is managed) you will be storing personal data so you need to be able to show you are taking data privacy seriously. Most manual methods (spreadsheets, email inboxes etc) will not be compliant so will need to be replaced. If you are using a 3rd-party system to store your data you need to work with them to audit and document the compliance.

Lawful processing

Until the referred person enters the application process this will be considered a marketing activity, so the lawful basis for processing will be obtaining consent from the person. As well as obtaining consent you need to be able to keep a record of it and provide an easy way for consent to be withdrawn. Often with the manual process and uploads of candidates the first time they know is when they are approached by a recruiter. Not only does this give a bad impression but will leave you open to legal challenge.

Individual rights

As with all passive candidates, the referred person needs to be aware you have their data, be able to view and amend it, and can ask for the data to be removed or made available for export. Most referral processes don't consider this at all so managing requests will be very complicated and time consuming. The recommendation from the legislation is to give users access to a secure system where they can manage their own data.

Concerned about GDPR? We can help!

Get in touch to learn more about our easy to implement solutions or talk to our network of GDPR experts

Complete and submit this form and we'll get back to you as quickly as we can.