Many have been challenged by this famous four-letter acronym, but the HRnest team showed considerable courage by asking me to analyze their product in light of the EU’s General Data Protection Regulation (GDPR). Along the way, we decided it would be worthwhile to share the steps of this analysis of their own tool. Hence, this post – discover the outcome of the evaluation and learn what aspects of data protection deserve attention.
At first glance
Where did I begin my journey through the forest of legal GDPRhododendrons? Naturally, with the website. Although… not the one you’re currently on. I started by digging into its behind-the-scenes elements. Using tools like BuiltWith, for example, you can uncover the “ingredients” of a website. By the way, try it on your own site, especially if it’s been around for years—you might be surprised at how many unnecessary tools are embedded there.
And at HRnest? The BuiltWith list is both well-utilized and justified, though not everyone will recognize terms like WordPress or JSON. What also stands out is the appearance of GDPR. This refers to the cookie banner plugin, which brings us to our next topic: cookies.
The banner complies with GDPR – firstly, it allows me to review the files potentially being stored on my computer. Secondly, the list aligns with the actual elements found through tools like BuiltWith. Most importantly, I can opt out of specific cookie purposes I find disagreeable.
What’s next? Instead of browsing the site like a typical user, I dive straight into looking for gaps – starting with sections like the privacy policy or informational clauses. “Unfortunately,” I haven’t seen documents crafted with such honesty and clarity in a long time. It’s almost a shame I can’t claim credit for their authorship. I do have my suspicions about who might be behind them… but more on that in a moment.
For now, let’s focus on the document analysis. They provide more than just the basics (e.g., HRnest’s full name and address). They clearly outline the legal basis, purpose, and duration of data processing, as well as whose data is involved. There’s little to criticize – they even explain how to exercise my GDPR rights, like requesting data deletion or access. I also learn which external entities the company shares data with.
As for the author, it might very well be a certain Data Protection Officer (DPO). HRnest has appointed one, and that’s a smart move. This person oversees internal documentation and procedures, ensures the team is trained, and serves as the contact point for individuals whose data is processed. Through the DPO’s email, I can exercise my rights or ask for further details.
From the inside
Since I’ve already mentioned it, let’s talk about those “internal procedures and documents.” Many people tend to forget that “GDPR compliance on the website” is a convenient phrase but doesn’t cover the full scope – nor does it start there. Policies and checkboxes should be the final layer, a summary of internal procedures and principles.
So, during my review, I went deeper. For example, I visited the company’s office. Officially, I was there to record a video with Marek, but truthfully, I was on the lookout for loopholes. I found none. First, they cleverly recorded in a dedicated room without access to sensitive data. Second, they kept a close eye on me. Even if they hadn’t (I did try to slip away under the pretense of needing the restroom!), every room required access permissions, and there were no stacks of papers or printers spewing personal data lying around. Simply put, there was nothing to dig through.
As I learned – though I won’t reveal too much, just highlight the essentials – the team is trained on GDPR and regularly refreshes their knowledge. Internal documents are in place, including a data processing register, a procedure for handling data breaches, and much more. Most importantly (and here I really emphasize discretion), access to different data groups is tightly secured, both for external parties and internal employees.
Using the tool
Now, for the final aspect – by no means the least important: what about data protection when your company simply uses a tool? After all, it inherently involves storing employee data. But how did that data get there in the first place?
Your company remains the data controller for your employees’ information. HRnest, on the other hand, acts as a data processor. Through a data processing agreement, personal data is processed, and HRnest commits to safeguarding it. This is done in line with the principles I’ve already mentioned regarding internal documentation.
But what happens with GDPR compliance when you, for instance, submit a request via the platform? Or when you’re the recipient of such a request? First off, getting access isn’t as simple as it may seem. You log in via two-factor authentication, making it harder for unauthorized individuals to gain entry. You provide only the necessary information – nothing more, because why collect what isn’t needed? Speaking of “necessity,” HRnest also limits how long personal data is stored.
It’s worth highlighting access levels separately. If you’re an employee, you don’t see other employees’ data. If you’re, for example, a recipient of leave requests, you only have access to the information relevant to you – nothing extra.
And the data itself never leaves the European Union – it’s stored under EU law, specifically GDPR. Another aspect I appreciate is how HRnest handles integrations with other tools, such as Slack, Google Calendar, and Outlook, ensuring compliance with data protection standards.
Summary
The website provides plenty of information about data protection, presented in a clear and accessible manner.
Within the company, someone like me wouldn’t have a chance to cause trouble, and even if I tried, they’d handle it seamlessly thanks to their robust technical measures and well-defined procedures. A trained team and a Data Protection Officer ensure everything runs as it should.
The tool itself takes good care of the entrusted data. It limits access both in terms of data types and to the appropriate (or potentially inappropriate!) individuals. I’m satisfied with my little investigation, even though I didn’t find anything to criticize effectively. I’m giving this thumbs-up!
Tomasz Palak