With Europe’s new rules on privacy scheduled to take effect May 25, companies have only a few weeks left to comply with the sweeping requirements regulating customer and employee information.
The application of the European Union’s General Data Protection Regulation is so broad that it impacts companies large and small, affecting even those that have no office or presence in any EU nation. If your business has a worker in a EU country or gets a resume from a EU resident, you are likely subject to the rules, which can be costly to ignore.
Fines for serious non-compliance can be as high as €20 million or 4% of an offender’s global revenue for the previous year. There are also lesser fines for a variety of even minor infractions. So it’s essential that companies ensure they meet the GDPR requirements when it comes to EU nationals.
Because the GDPR is a significant expansion of Europe’s previous privacy rules, how it will be applied in all situations is uncertain. To further muddy the situation for HR leaders, the regulations permit each EU country to adopt its own, stricter rules for employers.
To offer last minute guidance to organizations still trying to wade through the GDPR thicket, here’s a short guide to the provisions most relevant to human resources.
A GDPR overview
The GDPR regulates how and what personal information may be collected, how it is stored, who may access it, and how long it may be kept. It applies to every organization involved in the processing of personal data, which is defined as “any operation or set of operations which is performed on personal data or on sets of personal data.”
Consent of the individual is one of the key elements of the GDPR, so it’s critical for HR departments to identify the personal data they already have on each employee, manage duplicates such as the separate files a manager may be keeping, and confirm that what they do have is necessary to the operation of the business. This extends to third party service providers such as cloud-based systems.
Besides the obvious information typically found in employee files, some companies may also monitor employee behavior via computer keystroke capture, email analysis, security cameras and call monitoring. The GDPR has a list of the information obtained directly and indirectly that must be given to each employee.
Data protection officer
Companies that do conduct systematic monitoring of employees or process sensitive personal data – criminal records or results of medical or drug tests, for example – will have to appoint a Data Protection Officer.
According to the International Association of Privacy Professionals, the GDPR’s requirement that all “data controller and processor” companies appoint a data protection officers means the following types of companies are covered:
- Any company with 5,000 or more employees.
- All companies engaged in transportation and storage (e.g., airlines); accommodation and food service (e.g., hotels); and professional, scientific and technical activities (e.g., accounting firms).
- All financial institutions.
- All companies involved in information services and communications. This includes news and information websites that register users.
Consent
Collecting, retaining and using personal data – the “processing” language used in the GDPR – requires the express consent of the affected individuals. For marketing and sales, this can be accomplished by having the individuals execute a consent form. For HR data, it’s much more complicated.
The GDPR sets six conditions for processing personal data:
- Consent
- Contract
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
Consent by employees is viewed skeptically by EU regulators, so organizations will generally need to rely on a legal requirement or a showing they have a legitimate business need for the data.
A primer on the GDPR put together by the Ogletree Deakins law firm notes:
“Employers must first perform a privacy impact assessment by balancing their legitimate interest against the employees’ privacy rights and documenting that the legitimate interest outweighs the employees’ rights. Thereafter, employers must specify such legitimate interest in privacy notices provided to employees.”
If you haven’t already conducted this data audit, do it now. Be thorough. Review both digital and paper records. Delete duplicates. And even if your EU-based employee consented to use using the information – such as by signing a general agreement when hired – be sure you have a legitimate business interest or a legal obligation to retain and use it.
When accepting CVs in connection with a job opening, have the applicant sign a statement – digital is acceptable – consenting to the use of the information in connection with your recruiting process. If you want to use the application to build a pipeline, consent for that use must be expressly given.
Right to delete
The GDPR gives individuals the right “to be forgotten” by having their personal details removed from any HR system. Records of employees leaving or who have left the company may only be kept for relatively short periods. And even then, only the minimal amount of information can be retained.
How long you can keep a record may depend on the individual country where the person lives. There may be legal requirements to retain some records for extended periods of time. Even in the absence of a legal retention obligation, you may want to keep the records to defend the organization should a disgruntled ex-employee sue.
In addition, having suitable procedures in place to delete personal information is essential. Employees have the right to insist you delete information unless you can demonstrate a legitimate need to retain it. Consequently, be sure to review your records retention policy to bring it into compliance with the GDPR for your EU employees. And add records deletion review to your off-boarding process.
Incidentally, this applies equally to job candidates. Unless the candidates have given explicit permission to retain their information, it must be deleted when the hiring process is completed.
Right to inspect, object and correct
Short of deletion, employees and others whose data you have can demand access and correction of erroneous information. That’s more or less what most companies voluntarily now provide. But the GDPR goes further, giving them the right to have some of their information transferred to a new employer; the right to restrict its use and the right to object to having their data used in a profiling system such as an AI performance prediction analysis for example.
Transparency and data breaches
Data breaches must be immediately reported to an appropriate EU office, and every employee whose data may have been accessed must be notified. Sounds simple enough until you drill down to what might constitute a breach. According to an analysis by the UK’s Keystone Law suggests that something as simple as “sending an email with all the recipients’ email addresses in the “To” field rather than the “Bcc” field so everyone can see each other’s email addresses is a data breach.”
Other examples include the loss of an unencrypted company laptop with personnel records on it or access of an HRMS by an unauthorized person.
Once a breach is discovered, notification must be made within 72 hours.
There’s also a requirement that you communicate your data processing with employees and others in a “concise, transparent and intelligible manner, which is easily accessible, distinct from other undertakings between the controller and the data subject, using clear and plain language. For employers, transparency is achieved by keeping the employee or prospective employee informed and this should be done before data is collected and where any subsequent changes are made.”
Some final words
Although the GDPR gives individual workers and prospective employees powerful tools to limit the use of their personal data, it places an even greater responsibility on organizations to manage that information responsibly.
For entities with limited overseas contact or no EU workers or job candidates – and who have no expectations of geographical expansion there – the GDPR still looms as a foreshadowing of regulations they could face in the future.
The recent disclosures of how Facebook handled millions of personal records is promoting governments to take a closer look at how to protect the privacy of its citizens. It only makes sense, therefore, for HR professionals everywhere to reexamine their records retention policies as well as review just what data the organization has and how it is being used. Transparency and express consent may be the two aspects of the GDPR you might consider adopting voluntarily. It could potentially spare you problems should an unfortunate data release put your company on the front page.