What does GDPR mean for you?

gdpr chart

General Data Protection Regulation (GDPR) is in force in Europe from 25 May 2018. This is all about strengthening and unifying data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU, enforces penalties for breach and defines stronger conditions for consent.


GDPR not only applies to organizations based within the EU but it also applies to those that are tracking the personal data of staff located in the EU. There has been a substantial increase in sanctions in the event of non-compliance with fines of up to either €20,000,000 or 4% of global turnover – whichever is higher.


For more background information on GDPR, please refer to the OrangeHRM white paper located here.


Impact of the GDPR on HR?

The GDPR will have a massive effect on HR departments. The reason GDPR is such a widespread topic of discussion at the moment is that it will fundamentally change how organizations can handle personal data, including their employee's personal data. The main changes are around access, deletion and control rights, as well as new requirements around reporting a data breach. As well as data protection, the GDPR also covers data collection, with companies being controlled from collecting certain information, including health, biometric, and genetic information.


For those working in HR, this means a rethink about how personal data is collected, processed and stored. Data protection issues have an impact on most HR activities from how employee information is handled, to how companies handle recruitment and employee terminations.


While compliance is a top priority for many organizations in Europe and beyond, only fifteen percent of the companies surveyed by Deloitte are prepared to manage the change by May 2018, with the majority instead targeting a risk-based, defensible position.


Human resource software, especially cloud solutions, can be immensely helpful in ensuring that your organization complies with GDPR. This is why organizations are moving into Enterprise HR solutions such as OrangeHRM.  


How OrangeHRM helps to accomplish GDPR?

Many organizations maintain employee data in spreadsheets and legacy systems. In such environments, it is difficult to track where data is located, as well as audit/track who has accessed the data in each system. Bringing these disparate systems into GDPR framework is nearly impossible.


From the start, OrangeHRM has provided all customers with an extensive range of data protection capabilities. – including role-based access control, data encryption, tools to publish corporate policies, data management with extensive audit logs - even an employee self-service section for users to manage their own information and many other advanced features.


gdpr chart

The latest version of OrangeHRM provides you the right software capabilities for GDPR compliance. Specific capabilities include:

  • Newly introduced maintenance section in the Admin module will allow you to purge terminated employees and candidates from the entire system including audit trails.

  • Job application consent where you can outline your data policy and require explicit permission before allowing a candidate to apply.

In addition to the software improvements, we have processes and technological solutions to securely manage personal information. This includes utilities to securely transfer data files between customers and OrangeHRM and updated privacy policies and data protection agreements with vendors. You can contact the OrangeHRM data protection officer for any clarification through dpo@orangehrm.com


OrangeHRM SaaS infrastructure is managed by Rackspace. They maintain various certifications to assist us in verifying the various security policies and processes -  and facilitate for GDPR. Rackspace has been assessed and hold validation for the following compliance frameworks.


  • ISO 27001 - Rackspace ISO 27001 certified Information Security Management System (ISMS)  is an iterative management system that helps ensure security policies and processes are effective in mitigating identified risks. ISMS  at Rackspace certifies the management of information security in the operations of their data center facilities.

  • SSAE 16 and ISAE 3402 (Previously SAS 70 Type II) - Rackspace type II to SOC report can be used to satisfy requirements under both the SSAE 16 and ISAE 3402 standards. This report contains a description of the controls in place and the auditors informed opinion of how effective the controls were during the audit period.

  • PCI DSS - A qualified security assessor(QSA) validates Rackspace being a PCI DSS Level 1 service provider. It covers.

    • Physical security for data centers.

    • Network infrastructure

    • Rackspace employee access to network devices.

In addition, OrangeHRM conducts biannual audits on all the production servers to make sure they are aligned with OrangeHRM corporate security standards.


Ensuring that we recognize that our clients own their data and that we process that data only in accordance with their instructions. This acknowledgment is further elaborated in our Privacy Policy and Service Privacy Policy.


What can you do to protect your data?

You (Data controller) are responsible for implementing appropriate technical and organizational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Your obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimization, and accuracy, as well as fulfilling data subjects’ rights with respect to their data.

You should also seek independent legal advice relating to your status and obligations under the GDPR, as only a lawyer can provide you with legal advice specifically tailored to your situation.

As a customer of OrangeHRM, Please consider these generic tips to start with GDPR.

  • Familiarize yourself with the provisions of the GDPR, particularly how they may differ from your current data protection obligations.

  • Consider creating an updated inventory of personal data that you handle.  

  • Review your current controls, policies, and processes to assess whether they meet the requirements of the GDPR, and build a plan to address any gaps.

  • Consider how you can leverage the existing data protection features on OrangeHRM as part of your own regulatory compliance framework.  

Together, OrangeHRM service gives customers the peace of mind that they’re managing their business with the industry’s most results-driven, passionate HR software. They’re in safe hands.