How we've built Konfir around GDPR

By Chris Milligan

GDPR (the General Data Protection Regulation) was introduced in 2018 to give people control and protection over their personal data. It creates overarching rules for how organisations can store, process, and analyse customer data in the EU. 

At Konfir, our business model is based on the secure, user-permitted sharing of data. Because of this, GDPR has been a guiding structure that aids the design of our process flows, as opposed to being a hurdle. Outside of our core business model and user flow, we’ve doubled down on data security this year; appointing our DPO and CISO, rolling training out across the company, and preparing to become ISO 27001 certified. 

Below we’ve outlined the 7 pillars of GDPR, and how they’ve formed our foundation. 

Lawfulness, fairness, and transparency

Because our process is user-permissioned, data is only transferred on the legal basis of consumer consent. This is the case regardless of which data source a candidate accesses. We make sure consumer consent wording is always clear and specific to the data being requested.

Purpose limitation

Data is only requested for one particular purpose and is used only for that purpose. Konfir is a data processor. We never store PII (personally identifiable information) for longer than is agreed with our client or the candidate. You can find more information in our privacy policy.

Data Minimisation

Konfir only requests data that is necessary for the purpose the candidate consented to. If a verifier doesn’t need access to something, we won’t process it, nor will we ask a candidate to verify it. We believe this should go down to the data-point level to be transparent with the candidate, and to maintain a high standard of GDPR compliance


We only integrate with trusted and reputable data sources for employment data. We ensure that verifiers are aware of where data is sourced, and when it was last updated, so that you can trust the information being provided in real time is accurate.

Storage limitation

As a data processor, we never store PII for longer than is necessary to provide our services. Our support email (help@ and ICO registration number (ZB222386) are publically available, so that any concerns about how we’re handling data can be quickly investigated. 

Integrity and confidentiality 

Konfir is cloud-hosted on AWS, which benefits from industry leading security. We perform regular penetration testing and vulnerability scanning to monitor the safety of user data in all parts of our pipeline. We encourage whitelisting with our data providers and transfer encrypted data via API. Internally, we regularly monitor our access controls to make sure that access to sensitive information is on a “need to know” basis. 


One of the benefits of being a start-up is the lack of legacy systems. From day one, we have built Konfir in a structured manner; one that allows us to maintain oversight of all our information, and give access to auditors and regulators should they need to check our compliance. 

Back to blog home