If you do business in Europe, or have European operations and employees, chances are that you’ve been wringing your hands trying to figure out whether your company is compliant with the General Data Protection Regulation (GDPR). The GDPR went into effect on May 25, 2018, and carries substantial penalties for noncompliance; i.e., up to €20 million or four percent of annual worldwide turnover, whichever is greater.
Are You Covered?
- Do you have locations in the European Union?
- Do you have employees who reside in the European Union?
First, and importantly, the GDPR covers many aspects of business operations that are beyond the scope of this article. Businesses will need to ensure that they consult with legal counsel to cover all of the angles and to avoid hefty fines. This article will focus solely on those aspects of the GDPR that involve human resources (HR) processes.
In the HR realm, most of the GDPR relates to data collected from employees. As a European Union (E.U.) regulation, HR departments that do not maintain employees in the E.U. generally need not worry about the steps described herein. Employees that are covered are those who reside in the territorial boundaries of the E.U. at the time that their data is collected or accessed. This has vast implications for an organization’s marketing practices, but perhaps less so for their own employees. The first step in untangling GDPR compliance is to determine whether you have any employees who reside in the E.U. and for whom you maintain data. This should be a straight-forward analysis.
Know the Data
- Are you a collector, processor, or both?
- What systems do you use to collect and/or process data?
The much more difficult task is to assess which data related to those E.U. residents are covered by the GDPR and to ensure that you have identified all such data. The definition of data that are covered is extremely broad and includes “any information that relates to an identified or identifiable” E.U. resident. Of course, this includes information like name, date of birth, address, telephone number, e-mail address, emergency contact information, and more. But it also includes many other items such as business and personal travel arrangements, dietary needs, personal vehicle information, scheduling, bank account numbers, performance documentation, recruiting information, criminal or financial background, and much more. Even online identifiers, such as cookies and other metadata collected as part of an employee’s online activities, are covered by the GDPR definition. These are the basic level of data.
The GDPR also references “special categories” of data that require heightened protection. These data include racial and ethnic background, union membership, sexual orientation, medical conditions and disability information, political affiliation or opinions, religious or philosophical beliefs, and biometric and genetic data.
Thus, an organization’s second task is significant: it must ascertain what data are collected on employees, even if they are seemingly miniscule and obscure bits of information collected through a web browser on a work computer. Next, the employer will have to ensure that it continues to understand when new types of data are collected and stored, how they are collected and stored, and how such data can be made available, and upon request, even erased at the request of the E.U. employee.
Not only should employers endeavor to understand what data are collected and processed for their employees, but they should also identify the systems involved in such collection and processing. Commonly encountered examples include HRIS and payroll systems, but there are many others.
Communication with Employees
- Have you reviewed GDPR compliance in your new hire paperwork?
- How will you communicate with existing employees?
- Which “alternate legal bases” apply to data you collect and/or process?
As a product of European outrage at certain data collection and use practices, the GDPR also provides numerous rights for E.U. residents that fall under its protective aegis. In short, there are several steps employers must take vis-à-vis their protected E.U. employees. These can be divided into “notice” and “consent.”
First, “notice” must be given whenever a collector or processor of information (and you should ascertain which type you are as an organization) seeks to collect or use such information. In the usual GDPR context, this can happen when a customer, who is an E.U. resident, accesses your website and you collect certain IP and other tracking information. This practice, under the GDPR, requires both notice to the customer and consent. In the case of the customer, he or she is simply informed that certain information (e.g., cookies) are in use on the website and the customer is then given the option whether or not to consent to the practice. “Old-style” disclaimers that declare consent is given “by using the website” are inadequate to satisfy the GDPR “consent” requirements.
For employees “consent” is a far more difficult concept. As defined by the GDPR, consent must be “freely-given, specific, informed, and revocable.” However, the legal concepts underpinning the GDPR make it unlikely that true “consent” can occur with respect to an employer and its employees as an employer will usually have the superior bargaining position. Thus, it is not recommended that employers with E.U. employees rely on explicit “consent” as the underpinning of its data collecting, processing, and maintenance practices. This is especially true with data transfer and data sharing.
Rather, the GDPR identifies “alternate legal bases” to “consent.” These are important for employers to know and use in their forms. These alternate bases include that processing is necessary for completing an employment contract; that processing is required by law; or that processing satisfies the “legitimate interests” of the employer, which outweigh the “general privacy rights” of the employee.
To evaluate each alternate legal basis, consider the following example. Many E.U. countries require some form of paid sick leave as a legal compliance issue. Thus, instead of obtaining consent from employees to track their sick days, an employer may rely on the “alternate legal basis” that it is complying with an E.U. member country’s paid sick leave law in collecting and processing such information. Thus, no consent is required.
It is expected that the “legitimate interests of the employer” balancing test will become an important, but perhaps hotly contested, part of the GDPR. It is unclear where the limitations stand on this alternate legal basis to consent.
Therefore, the third step in GDPR compliance is to augment new hire and existing employee paperwork to identify data covered by the GDPR and to explain the legal underpinnings by which such data are collected and processed. In other words, categorize your data, disclose it to employees at hire, ideally (but you must also do so for existing employees who have not yet been similarly informed), and either obtain consent or explain why consent is not required using the language of the alternate legal bases.
If an employer, on the other hand, encounters data on its employees for which it cannot argue one of the three legal bases explained above, then the employer must determine whether it is permissible for it to collect and process such data in the first place. In other words, since the traditional concept of “consent” as defined by the GDPR may not apply to employees, if no other alternate legal basis covers the data in question, it may not be compliant with respect to the GDPR to continue to process such data.
Understand “Privacy by Design” and “Privacy by Default”
- Which systems do you use that are customized and which are off-the-shelf?
- Do you understand “privacy by design” and “privacy by default”?
The concepts of “privacy by design” and “privacy by default” are most likely to apply to HR software solutions. “Privacy by design” means that a software solution should be designed with privacy as an important objective, and “privacy by default” means that the default settings of the solution should be geared towards data protection and privacy.
A system-by-system evaluation is necessary here. For HR departments that use off-the-shelf, non-customized software solutions, evaluate the settings of the software and determine whether all data that is collected, or can be collected, is necessary. For example, a certain software program may feature an online job application. Determine what data are absolutely necessary to process such an application and eliminate all other fields. This is an example of how an HR department may implement the concepts of “privacy by design” and “privacy by default” concepts.
Establish Procedures for Employee Rights
- Which data do you collect and/or process that rely on “alternate legal bases” as described above?
- What processes will you implement to “forget” data and to “transfer” data?
Under the GDPR, employees in the E.U. are bestowed with two significant rights: data portability and “forgetting.”
Data portability means that an employee has the right to transfer data that was provided by them from one entity towards another. It applies only to personal data provided by the employee and not to any data for which there is an existing legal duty on behalf of the employer to collect. However, while this category may be exceedingly narrow, it is incumbent upon employers with E.U. residents as employees to design processes by which such portability may be explained, requested, and processed.
This is also true for the “right to be forgotten.” Employers are not required to erase any data that may help to defend a lawsuit, that are required by law, or that, generally speaking, satisfy the other alternate legal bases described above. However, while this category may also be very narrow, employers must establish processes designed to comply with these rights granted to E.U. residents who are employees.
Review Vendors Who Process Information
- Which vendors, if any, use your protected data to perform services, e.g., payroll, HRIS?
- Have these vendors, if any, implemented changes due to the GDPR?
- Do your contracts with vendors specify GDPR compliance?
Even if a third-party vendor processes the data on your employees, you, as their employer, retain liability under the GDPR. Ensure that your vendors are compliant with the GDPR and knowledgeable. As an extra, recommended step, employers may wish to insert provisions into contracts with their vendors that further GDPR compliance and address when a vendor creates legal risks and liabilities by not establishing and/or following its own GDPR compliant policies and practices.
Prepare for Security Breaches
- Who “owns” the process of evaluating, monitoring, and disclosing data breaches?
- Do you have a system for notification that can be made effective within 72 hours of a breach?
For employers who are required to comply with the Health Insurance Portability and Accountability act (HIPAA), some of the next provisions may sound familiar. First off, every employer that processes data covered by the GDPR is required to implement logistical and technical safeguards for said data. In addition, an employer must monitor for security breaches and report them within 72 hours. The standards under GDPR for what the notice must contain are not dissimilar from HIPAA and related privacy laws in the U.S., but the turnaround time is much shorter. This mandates that employers act beforehand to ensure that they are prepared in the event of a security breach.
For the technical and other administrative requirements, including limitations and further requirements on cross-border data sharing and transfers, employers should ensure that they conduct a joint review with knowledgeable legal counsel and their information technology experts. These requirements can be burdensome and many employers in the U.S. have reported costs exceeding one and even ten million dollars in implementation.
Monitor E.U. Member State Legal Compliance
- In which E.U. member states do you do business and/or have employees?
- Do you maintain qualified legal counsel to augment GDPR requirements, if required, by those member states?
By now, you’ve probably read one or another article from the Employers Council cautioning you in applying the Family and Medical Leave Act (FMLA), or the Fair Labor Standards Act (FLSA), on a 50 state basis, because many states retain and frequently enact their own, more burdensome rules. This is a common pitfall that results in legal liabilities for employers.
The GDPR is no different. While it establishes a baseline for E.U. member states, such states are still able, and oftentimes willing, to maintain more burdensome standards. Therefore, while France, Germany, and Italy must comply with the GDPR, each member state can enact more stringent requirements. In short, GDPR compliance may not be sufficient – also ensure that you comply with the laws in the member states in which your employees reside.