Originally published: 01 June 2026 | This analysis is based on Nimble Global's proprietary research and 30+ years of practical experience across over 90 countries. | © 2019 - 2026 Nimble Global. All rights reserved.

Late one night, an AI provider whose software I use every day sent me a cheerful email. I was one of their highest-volume users in the world, tens of thousands of words pushed through their system in a matter of weeks. It was meant as flattery. What it actually did was make me wonder how much of my data was sitting inside their platform, and what they were doing with it. So at 12:01 a.m. I submitted a data subject access request. Lawful, politely worded, entirely ordinary. By 12:04 a.m. my account had been suspended and my money refunded. 

Three minutes. No acknowledgement of the request, no handler assigned, no process. The instant I stopped behaving like a paying customer and started behaving like a data subject, the relationship was closed rather than answered.

I don’t tell that story to accuse anyone of wrongdoing. I tell it because of what the speed revealed. That was not the reflex of an organisation confident in how it handles personal data. It was the reflex of one who would rather end the conversation than have it. The company involved isn’t a workforce platform, but the reflex is precisely the one I keep meeting across the workforce technology market, sitting just beneath the polished compliance language these platforms present to buyers.

The market has spent a decade rewarding a single thing: growth. Investors rewarded it, buyers rewarded functionality, and operations teams rewarded anything that took friction out of hiring. Platforms that started life as domestic tools now run across dozens, sometimes hundreds of countries, sitting inside the most sensitive parts of how organisations find, assess and engage people. What almost nobody priced in was whether the governance underneath those platforms matured at the same rate as the product on top of it. Mostly, it did not.

That is the gap I want to talk about. A vendor’s technical capability and its governance maturity are not the same thing, and over the past few years the two have quietly been allowed to merge in the way these platforms are sold. A product can be genuinely excellent and still be governed on assumptions that stop holding the moment it crosses a border.

Follow one candidate’s data

Picture what actually happens to a single applicant. A person enters their details believing they are dealing with the hiring company. Those details pass to the staffing supplier or MSP managing the role, then into a Vendor Management System, then into the client’s Applicant Tracking System, and from there into reporting, analytics and whatever internal tools decide who gets shortlisted. By the time that candidate is hired or rejected, their information has been held, scored and acted on by several organisations across several countries, most of it through integrations the candidate never sees.

Most vendors have a confident answer, and they assert it in three places at once: the contract negotiated with the buyer, the privacy notice presented to the candidate, and the click-through, or clickwrap, terms every user has to tick before the system will let them in. In practice the candidate often reads none of them, and under GDPR none of them decides anyway. The role follows what you actually do.

The clickwrap is worth pausing on, because the law treats it two ways at once. Courts have repeatedly upheld clickwrap terms as binding on the user, because ticking the box is an affirmative act, even though everyone knows that most users never read a word. But that same tick does nothing to settle the vendor's own accountability. A regulator asking who the controller is will not accept a tick box as the answer.

So if a platform shapes how candidate data is collected, scored or ranked, it cannot keep calling itself a mere processor simply because the paperwork says so. Regulators look at behaviour, not labels, and the burden sits with the platform to show how the arrangement works in practice, not to assert that it complies.

This is where a lot of confident positioning starts to crack. 'We’re GDPR-aligned.' 'Privacy by design.' 'Fully explainable AI.' I hear these constantly. Then I ask a provider to walk me through how one candidate’s data moves across their system, or how a particular ranking output was produced, and the answer becomes noticeably harder to give.

That isn’t necessarily dishonesty, most of it is the residue of building fast in one regulatory environment and then selling into thirty others without revisiting the foundations. But intent counts for little with a regulator, and even less with a court.

What has actually changed

Here is why I think this stops being a slow-burn problem. For years people simply accepted the process. They ticked the boxes, accepted the terms and let their data disappear into systems they could not see. That era is closing. Workers now understand data rights, automated decision-making and cross-border data flows in a way they did not even three years ago , and, more to the point, they are willing to act on it.

I have watched candidates, after an unsuccessful application, file access requests for their interview notes and the internal commentary behind the decision. In one case shared publicly on LinkedIn, the applicant said almost all of their feedback had been positive, and that the outcome turned on a single offhand remark about a former employer. What struck me most was not the request itself, but who was teaching people to make it. The post was written by someone inside our own industry, walking candidates step by step through how to use an access request to extract the reasoning behind a rejection.

Whether you regard that as a fair use of the right is beside the point. Awareness changes behaviour, and awareness is now being actively taught. Once people know the door exists, and someone hands them the key, some of them will open it. What I keep coming back to is what happens when this becomes routine. Most HR, risk and IT functions are not built to handle access requests at volume. If even a modest share of rejected candidates began demanding everything held on them, along with the reasoning behind the decision, a great many organisations would find, very quickly, that responding properly is close to a full-time job they never resourced.

And this is where exposure stops being individual. The same platform, the same algorithm and the same rejection workflow are applied to thousands of people at once. The moment a handful of them compare notes on LinkedIn, in a forum, through a claimant firm… 

The technology sector has already learned how quickly public scrutiny can rewrite accountability once practices assumed to be private become visible. There is no reason workforce platforms will be the exception.

So what do you actually do?

The uncomfortable part for buyers is that you inherit a share of all this. Put a platform between your organisation and your candidates, and its governance gaps become your governance gaps. So the only question worth ending on is a practical one. And it has two answers, because HR and procurement are not solving the same problem. They have different goals, different levers, different exposure.

If you sit in HR or the people function

Your concern is whether your decisions are fair, explainable, and defensible, and whether your candidates and your employer brand are protected when one of them starts asking questions.

• If a rejected candidate asked today for everything you hold on them and the reasoning behind the decision, could you produce it, and would you be comfortable with what it showed?

• Where in your hiring process is an automated tool scoring, ranking or filtering people, and can someone explain in plain language how it reaches those outputs?

• Are interview notes and evaluation comments written as if the candidate will one day read them? Because increasingly, they might.

• When the system recommends one thing and a human disagrees, who owns the final decision, and is that documented?

If you sit in procurement or vendor management

Your concern is liability, due diligence, and assurance that you can stand behind a vendor selection that survives scrutiny long after the contract is signed.

Don’t ask whether the vendor is GDPR-compliant. Ask them to map a single candidate’s data through their platform and name the controller and processor at each step.

• Ask to see how they handled a real access request: how long it took, who handled it, and what they actually produced.

• Where does the contract place liability when the platform’s own processing causes the problem, and does that allocation survive contact with how regulators actually assign responsibility?

• What is their record on sub-processors and cross-border transfers, and can they evidence it rather than assert it?

• If their AI ranks or screens candidates, can they show it has been assessed for bias and meets the high-risk obligations now landing under the EU AI Act?

The point

None of this requires you to become a data protection lawyer. It requires you to stop accepting compliance as a claim and start treating it as something a vendor has to show you. For years I have run every technology review on a single principle: don't tell me, show me. When a provider describes a capability, I ask them to show me exactly where it lives in a live production environment, not a polished demo. Governance is no different. Ask a vendor to walk you through how a real candidate's data actually moves through their platform, and how a real access request was actually handled. The ones who can do it calmly and specifically usually understand their own environment. The ones who cannot are telling you something just as useful, whether they mean to or not. 

Stay Nimble. Stay Compliant.

About the Author: With extensive experience in workforce compliance and global workforce solutions, David Ballew has consistently driven innovation and operational excellence. As the Founder and CEO of Nimble Global, David combines deep industry expertise with a unique perspective shaped by his neurodiverse AuDHD profile, enabling creative problem-solving and multidimensional insight. A pioneer in MSP models and workforce technologies, he is dedicated to bridging global compliance gaps and helping organisations build resilient, future-ready workforces.

Real People. Real Action. Real Innovation.

Disclaimer: This content is intended for informational purposes only and does not constitute legal, tax, or employment advice. Readers should consult qualified professionals in relevant jurisdictions before acting on the guidance provided. Nimble Global disclaims any liability for actions taken based on this publication.