It can be tempting to view EU Pay Transparency as the new GDPR. And to some extent, the comparison holds – both require data architecture, repeatable workflows, and documented processes that go well beyond a policy update.
However, GDPR and EU Pay Transparency Directive are fundamentally different in kind, and different in the risk they create. GDPR was, at its core, a process problem: it covers how data is collected, stored, and handled. Pay Transparency is a money problem. As Amanda Frayne, Chief Legal and Compliance Officer at Multiplier, puts it: “It’s not just reporting — it’s a triggered obligation, which requires remediation in a lot of cases.”
And there’s a further complication that most teams haven’t fully confronted: the two directives don’t run in parallel, they run into each other. When a small job category makes aggregate pay data identifiable, responding to a Pay Transparency request can create a GDPR exposure. Managing both requires deliberate design, not just two separate workstreams.
In this article, we’ll cover how GDPR and the Pay Transparency Directive differ in scope and financial risk, why the GDPR playbook won’t transfer, and how to manage both obligations in parallel.
What GDPR actually required – and why it felt survivable
The General Data Protection Regulation(GDPR) was adopted in spring 2016 and became applicable across the EU on 25 May 2018. It replaced the 1995 Data Protection Directive and set a single, EU‑wide standard for how organisations process personal data within the Union or about individuals in the Union.
As the internet and online behaviours became more reliant on transmitting and handling sensitive data and information, the EU realized that old privacy laws were no longer suitable to address the risks that unprotected data flow could create. Every resident of an EU member state had a right to understand, access, and in some cases restrict or withdraw consent for how their personal data was processed.
When it came time for businesses and employers to comply, many of them had to change their compliance posture completely. Not necessarily because they had been overly careless or misusing employee and customer data. But rather, because the standards had changed, becoming less permissive of broad access and use.
GDPR requirements
- Organizations must have a lawful basis for collecting and processing personal data
- Individuals should be clearly informed about what data is being collected and processed and how it will be used
- Data collected must be relevant and limited to what is necessary for the stated purpose
- Personal data must be accurate and up to date
- Individuals have rights over their data including the right to access, correct, delete, restrict, or object to processing in certain circumstances
- Data cannot be stored for longer than necessary for its stated purpose
- Personal data must be processed securely and protected against unauthorized access or misuse
- Organizations must report qualifying personal data breaches to the relevant supervisory authority within 72 hours of becoming aware, where feasible.
- Where a controller uses a processor, it must use only processors that provide sufficient guarantees of GDPR compliance, and the relationship must be governed by a written data‑processing agreement.
- Organizations must be able to demonstrate compliance with GDPR requirements
The reason this felt manageable for many organizations is because GDPR became a roadmap detailing how companies should operate now that they had to ask for, specify, and narrow the permission scope of their data collection as it pertained to EU residents.
It may have added friction points, security architecture changes, and procedural safeguards in handling data, but once the processes were in place, the obligation didn’t shift.
Three ways EU pay transparency is harder to manage
While it is easy to bucket these two regulations together under the umbrella of “EU compliance,” doing so underestimates the true operational impact of the new directive. The scope, focus, and long-term liabilities of Pay Transparency are entirely different, carrying direct, ongoing financial implications for employers who get it wrong.
1. GDPR was a process problem, this is a money problem
GDPR reined in companies’ ability to collect, store, and handle sensitive data, requiring them to gather consent and inform users of how their data was being used. The Pay Transparency Directive requires companies to fundamentally rethink how compensation decisions are structured, documented, and communicated.
Under the Directive:
Applicants must receive the initial pay (or pay range), based on objective, gender‑neutral criteria, in time to negotiate – in the job advert, before interview, or otherwise before any contract is signed. Asking applicants about pay history is prohibited.
Companies that meet certain thresholds must report on their pay every 1 or 3 years.
Companies with an unjustifiable gender pay gap of more than 5% must resolve it within 6 months, otherwise a joint pay assessment may be triggered.
Pay‑setting and pay‑progression criteria must be easily accessible to workers, and the criteria themselves must be objective and gender‑neutral (Article 6).
Employees gain a formal right to request information about their own pay and the average pay of colleagues performing the same work — or work of equal value — broken down by gender (Article 7).
This shifts pay transparency from a passive reporting obligation to an active employee right. Employers are required to respond in writing within two months, and employees can request additional clarification if the information provided is incomplete or unclear.
Once employees formally request and compare payroll data, employers need to justify compensation decisions with objective, gender-neutral criteria. If they cannot, the financial exposure and liability escalate quickly. “The reporting line is the start, not the finish,” Amanda Frayne, Chief Legal and Compliance Officer at Multiplier, explains “A gap above the threshold pulls you into remediation, into a joint pay assessment with worker representatives, and into individual claims for compensation.”
That liability is reinforced by Article 23, which requires Member States to impose “effective, proportionate, and dissuasive penalties” for breaches of equal pay obligations. Fines may be tied to turnover or payroll, ensuring the impact scales with business size. Workers also retain rights to full compensation and damages.
For companies without a clear compensation management framework, this is where the exposure becomes real. When pay has been set by manager discretion, negotiation, or budget availability rather than objective criteria, gaps surface, and under the Directive, those gaps have to be justified on the record, or remediated.
2. EU Pay Transparency pulls compensation into the spotlight
GDPR imposed obligations on how companies handle data internally — the exposure was largely between the employer and the regulator. Pay Transparency is different. Under Article 9, key metrics become public: mean and median gender pay gaps, variable pay components, quartile pay bands, and gap breakdowns by categories of workers, published by employer and sector in a format designed for comparison.
Compensation breakdowns that were once managed privately are now publicly indexed. And the reporting threshold isn’t the protection many employers assume it is — the obligations that create the most immediate risk, Article 7 information requests and candidate-stage transparency, apply regardless of size from day one.
The table below outlines how these strict reporting obligations phase in based on workforce size:
Workforce size | First reporting deadline | Reporting frequency | Data covered in first wave |
250+ workers | 7 June 2027 | Annually | 2026 |
150–249 workers | 7 June 2027 | Every 3 years | 2026 |
100–149 workers | 7 June 2031 | Every 3 years | 2030 |
Fewer than 100 workers | Voluntary (Unless mandated by national law) | N/A | N/A |
3. GDPR had one rulebook, pay transparency has 27
GDPR applies uniformly across the EU. The Pay Transparency Directive is, as the name suggests, a Directive: each Member State has to transpose it into national law, and the Directive sets a floor, not a ceiling.
Member States can — and several already are — going above the minimum. Countries can choose to apply their national version of this directive with much stronger guardrails, while another country might choose to apply the directive at its minimum.
For companies with employees across multiple EU markets, compliance becomes far more fragmented than it was under GDPR. What looks like one EU-wide directive on paper quickly turns into multiple national obligations in practice. “If your workforce sits across multiple EU jurisdictions, you have to look at each Member State’s transposition individually. The Directive is the floor; national laws will sit above it — and we are already seeing divergence in deadlines, reporting dates, sanctions and same‑sex equal‑pay claims.” says Frayne.
Slovakia adopted its Equal Pay Act on 15 April 2026, with entry into force on 7 June 2026. Fines for reporting failures are set at €4,000–€8,000, but the Equal Pay Act amends the Labour Inspection Act so that the Labour Inspectorate’s broader sanctioning powers can reach up to €100,000 (per the correlation table accompanying the draft Act). Treat the €4,000–€8,000 figure as the floor, not the ceiling.
How finance teams should prepare
The EU Pay Transparency Directive will have financial implications for any company with Europe-based employees. As Amanda points out, “Employers in the 100–149 bracket tell themselves they don’t need to do anything until 2031. That misses the point. The transparency obligations at the candidate stage, the right of every worker to ask for pay information under Article 7, and the equal‑pay claims that flow from all of it — those start from day one of the national law.”
The most prepared C-Suite teams are already working closely with HR and Legal to audit and document policies and model potential costs before the June 7 date comes into effect. Companies can use the following framework to build a proactive compliance plan:
1. Audit pay data
Pull all pay data into a single view (spreadsheet or compensation platform) and make sure it can be sliced by location, level, sex, and — critically — by category of workers performing the same work or work of equal value. That last dimension is what Article 7 and the Article 10 5% trigger run on.
2. Document pay criteria
Having a compensation philosophy on paper is not enough. Under the Directive, documentation has to meet a specific standard. Criteria must be predefined — objective and gender-neutral before the pay decision is made, not reconstructed after a request arrives.
Decisions must be applied consistently across comparable roles and you must be able to evidence and reproduce the decision — not just assert it, but reconstruct it with a clear audit trail of job classification, job band, criteria used, and decision rationale. As Frayne puts it: “If you can’t reproduce the logic, it’s not defensible.”
3. Map your EU footprint by member state
Knowing where in the EU you have employees is necessary for understanding which nationally transposed interpretations of the directive your company must comply with. Because applications will vary from country to country, begin implementation by identifying your employee base across member states.
4. Model remediation costs
If pay data reveals gaps above 5% that can’t be objectively justified, there are six months to resolve them before a joint pay assessment is triggered. Modelling those costs now means the business can build a buffer and plan accordingly — rather than responding reactively to a liability that was always visible.
Managing EU Pay Directive and GDPR in parallel
The EU Pay Transparency Directive (EUPD) and the GDPR create a sharp legal paradox: the EUPD mandates disclosure of compensation data, while the GDPR enforces strict minimization and privacy rights. Managing both simultaneously requires deliberate design. Under Article 9 of the directive, employers must report pay gaps by “categories of workers.” This requires employers to establish consistent salary bands tied to objective compensation criteria before reporting obligations begin. Yet when a category is very small – such as a niche team or senior executives – publishing those figures can effectively reveal individual salaries, turning aggregate reporting into a GDPR breach.
Consider a simple case: a job category with only three people — one woman and two men. If the employer publishes the required gender pay gap or quartile bands for that category, each person can easily work out the others’ exact salaries. That’s why counsel and DPOs must set aggregation thresholds and masking protocols to meet transparency rules without exposing individual pay data.
The Directive acknowledges this tension in Article 12, requiring that any data disclosed under Articles 7, 9, or 10 comply with GDPR. Personal data may only be used to enforce equal pay, and Member States can restrict disclosure where individual salaries might be revealed, granting access instead to worker representatives, inspectorates, or equality bodies.
This tension between disclosure and privacy makes clear that compliance isn’t just about reporting — it’s about infrastructure.
The benefits of using global-first infrastructure
Managing change driven by EU directives can feel daunting — adjusting workflows, compensation logic, and reporting structures across jurisdictions is no small task. Compliance means defending pay decisions across jurisdictions with aligned payroll data, compensation logic, standardized job structures, and local legal interpretation that holds up under scrutiny.
Most hiring and payroll platforms weren’t built for that level of consistency. Multiplier built compliance into the infrastructure itself through the Global Exchange for Work:
- 160+ owned entities across markets, eliminating third‑party risk
- In‑house legal and tax experts available 24/5
- Continuously updated compliance frameworks at EU and national levels
- GDPR‑compliant payroll operations balancing transparency and privacy
- End‑to‑end support across hiring and payroll
When Multiplier acts as Employer of Record in an EU country, the employer-side Pay Transparency obligations sit with Multiplier — including salary band disclosure, auditable pay criteria, and Article 7 response capability. Compensation decisions remain with the client; the compliance infrastructure doesn’t.
For companies running their own entities and using Multiplier’s Global payroll, the platform surfaces the data — pay band analysis, gender breakdowns, audit trails — so responses are faster and more defensible.
With June 7th approaching, the time to build that infrastructure is now.
Speak to an expert today to learn more about what it takes to stay compliant everywhere you hire.
FAQs
What is the EU Pay Transparency Directive?
The EU Pay Transparency Directive (Directive 2023/970/EU) is a regulation requiring EU member states to implement national laws that enforce equal pay for equal work. It introduces strict rules around candidate-stage transparency, employee information rights, and gender pay gap reporting to eliminate gender-based compensation discrepancies. EU countries need to transpose it into national law by June 7, 2026.
How does the Directive differ from GDPR compliance?
While GDPR was a "process problem" focused on how data is safely stored and handled, the Pay Transparency Directive is a "money problem." It requires companies to fundamentally restructure and defend how compensation decisions are made, shifting pay equity from passive data reporting to an active legal and financial liability.
What is a joint pay assessment and what triggers it?
A joint pay assessment is a mandatory remediation process conducted alongside worker representatives. It is triggered if an employer's public reporting shows a gender pay gap of 5% or more in any category of equal work, provided the gap cannot be justified by objective, gender-neutral criteria and is not corrected within six months.
When do the public gender pay gap reporting mandates take effect?
Reporting requirements phase in by company workforce size. Employers with 250 or more workers must report annually starting June 7, 2027, covering calendar year 2026 data. Those with 150 to 249 workers are also required to submit their first wave of data by June 7, 2027, covering the 2026 calendar year, but will continue reporting every three years thereafter. For smaller organizations with 100 to 149 workers, the reporting mandate is deferred to June 7, 2031, with data covering the 2030 calendar year, repeating every three years.
Can small businesses ignore the Directive until 2031?
No, small businesses should act now on EU Pay Transparency Directive. While public reporting deadlines are delayed for smaller cohorts, candidate-stage transparency rules and Article 7 employee information rights apply to all employers regardless of workforce size from day one of the national law's entry into force.
How can an EOR like Multiplier help with compliance?
Multiplier's EOR Service simplifies compliance through its global infrastructure, providing a single source of truth for compensation logic, aligned data reporting, and expert interpretation of localized Member State laws.