Back to Blog
GDPRComplianceLegalData Protection

Are Your Reference Checks GDPR Compliant?

Learn how to ensure your reference checking process complies with GDPR regulations and avoid costly fines while maintaining effective hiring practices.

Legal Team
January 12, 2024
4 min read

Are Your Reference Checks GDPR Compliant?

If you're hiring in the UK or EU, GDPR compliance isn't optional — it's the law. And reference checks are one of the most common areas where HR teams accidentally slip up.

Think about it: you’re collecting personal data (emails, names, employment history) from referees who may not have explicitly consented. If that data isn’t handled properly, you could face not just fines but also reputational risk.

Common GDPR Risks in Reference Checks

  • Contacting referees without candidate consent.
  • Collecting excessive personal data from referees.
  • Storing reference data in unsecured formats (like spreadsheets or email).
  • Sharing reference feedback with unauthorized team members.

What GDPR-Compliant Reference Checks Look Like

  • Candidate consent first: Always get written approval before contacting referees.
  • Minimal data: Collect only what’s necessary for the check.
  • Secure storage: Use encrypted, access-controlled systems.
  • Transparency: Clearly explain how data will be used and stored.
  • Anonymization options: In some cases, anonymized referee responses help reduce bias and improve privacy.

Why This Matters to Recruiters

Non-compliance can lead to fines of up to €20M or 4% of global turnover under GDPR rules. But beyond the legal risks, a compliant reference process makes you look professional and trustworthy to both candidates and referees.

Start reference checking with Hirescan

Automate your candidate screening with structured reference checks, fraud detection, and instant risk scoring. Cut hiring delays from weeks to days and make better hiring decisions with confidence.

Email: support@hirescan.co Sign up: https://www.hirescan.co/signup. Submit your first candidate in minutes.

FAQ

Do I need candidate consent before contacting referees? Yes. GDPR requires clear candidate approval before any referee outreach.

How should reference data be stored? It should be encrypted, stored securely, and only accessible to authorized HR staff.

What is considered personal data under GDPR? Anything identifiable — names, emails, employment history, even written feedback.

Can referees remain anonymous? Yes, some systems allow anonymization, which improves compliance and reduces bias.