GDPR Compliance: How BambooHR Protects Privacy

March 22, 2018

BambooHR is pleased to announce that its systems and processes are compliant with the new General Data Protection Regulation (GDPR).  (GDPR is the new standard in the European Union (EU) governing the privacy and data protection of EU residents. This new standard goes into effect on May 25, 2018.) This means that, BambooHR stands ready to support and assist its clients who have employees residing in the EU as they also meet their own obligations under the GDPR.

What is GDPR Compliance

In response to the public’s growing concern about privacy, the European Parliament adopted the GDPR to replace an outdated data protection directive from 1995. GDPR establishes more stringent requirements for businesses to protect the personal data and privacy of citizens of the European Union and the European Economic Area (EEA). The regulation applies for transactions that occur within EU member states, as well as the transfer of personal data outside the EU and EEA areas.

GDPR is not optional, and any company that does comply faces the threat of large fines, depending on the severity and circumstances of the violation. These fines can be as steep as 4 percent of annual global revenue or up to €20 million. Every organization that does business in Europe or with EU or EEA citizens must ensure that they are following GDPR guidelines; non-compliance could cost them greatly.

To comply with GDPR, companies who have EU based employees need to comply with the following important requirements:

  • Obtain consent to collect and process personal information
  • Protect personal data
  • Control access to personal data
  • Provide the option to erase personal data
  • Inform customers of data breaches

GDPR Compliance for US Companies

Even though the GDPR is an EU law, it also requires companies outside the European Union to safeguard personal data. Any company in the U.S. who collects personal data of people in the EU is required to comply with the GDPR. Personal data could be email addresses in a marketing list or IP addresses of those who visit your site. Therefore, U.S. companies whose website, products, or services are available to EU citizens should become GDPR compliant.

For many companies, the implementation of the GDPR may require extensive changes to business practices and can impact Finance, HR, Customer Support, Marketing, and Sales departments. Businesses who work with partners will also have to ensure that these vendors are GDPR-compliant because they will be held partly accountable if partners violate GDPR guidelines.

Some specific steps for U.S. companies to take beyond the normal GDPR measures, according to the official GDPR site, include:

  • Conduct an information audit to confirm whether your company processes EU personal data
  • Inform customers about how and why you’re processing their data
  • Assess your data processing and improve protection
  • Make sure you have a data processing agreement with third-party vendors
  • Appoint a data protection officer (if necessary)
  • Designate a representative in the European Union
  • Design a strategy on what to do if there is a data breach
  • Comply with cross-border transfer laws (if applicable)

How BambooHR Handles GDPR for HR Professionals

BambooHR is staying ahead of the GDPR changes, both in its role as a data processor and in support of data controllers. BambooHR’s efforts include:

  • Providing a great software platform that allows client companies to comply with the GDPR requirements while still having a great experience.
  • Deploying industry-standard technical processes and procedures that protect data, both when it is in transmission and while we are hosting it. BambooHR demonstrates our compliance with these critical requirements through our annual SOC II audit by an independent auditing firm.
  • Providing a hosting center and data collection network within the EU. We selected world-class service providers for these critical processes: Rackspace and Amazon Web Services. Their stringent standards for data protection and security made them our choice for all of our customer data, including customers in the United States and the EU.
  • Working with EU and U.S. legal counsel to develop a Data Processing Agreement (DPA) that complies fully with the GDPR. This DPA, which will be the contract with all clients who are data controllers under the GDPR, also incorporates the European Model Clauses, also known as the Standard Contractual Clauses. (The Model Clauses were approved by the European Commission and are the industry standard for when personal data is transferred outside of the European Economic Area.)
  • Being certified under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. This certification also ensures that we comply with data protection requirements when transferring personal data from the EU and Switzerland to the United States.
  • Ensuring that we recognize that our clients own their data and that we process that data only in accordance with their instructions. This acknowledgment is recognized in our Terms of Service and Privacy Policy found at and, respectively. Our Privacy Policy is incorporated into our Terms of Service and our Terms of Service is our contract with every client.
  • Following the GDPR definition of acceptable timelines when processing client data requests, whether it’s gathering consent, providing access, or erasing data. We will also provide prompt notification in the event of a data breach.
  • Staying abreast of continuing GDPR developments and guidance, to support our clients’ compliance efforts.


See how our software can benefit your HR needs


What You Can Do to Protect Your GDPR HR Data

While it’s always a great time to think about improving data security, the GDPR deadline provides a good target for reviewing your organization’s privacy and security policies and evaluating how you put them into practice. While BambooHR has yet to have a data breach from hacking, there have been instances where individual customers have been careless with their login credentials or access permissions.

HR watchdog protecting employees

The best protection of personal information comes from a combination of continuously updated technology, thorough training for HR employees who handle and have access to personal data, and seamless communication about new requirements. BambooHR addresses each of these concerns with our features and support, and we will continue to support our clients as regulations evolve.

For more information on the upcoming GDPR changes, visit the official EU homepage.

HR insights delivered to your inbox.

Get caught up every month on all things HR. Don't worry, we promise we won't spam you.

Brian Anderson

Brian Anderson expertly decodes all things HR, drawing on a decade of technical writing in the business organization industry to provide editorial support to internal and external learning programs at BambooHR. His writing explores the different motivations that shape the employee experience and the psychology of human resources.