Does GDPR Apply to Employees?
The introduction of the General Data Protection Regulations (GDPR) is just around the corner and many organizations are wondering whether the GDPR also applies to data concerning employees, as well as to data related to clients or customers.
The short answer to this is yes, employee data is subject to the same protections as client and customer data under the GDPR. When groups design their systems to be GDPR compliant, they must not forget to review and modify the systems that deal with internal staff information.
This will also mean that staff members will have similar rights to clients and customers in relation to requesting copies of their stored data and other areas. Organizations will face penalties for mismanagement or misconduct of employee data the same as they would for mishandling or violating the rules for data concerning individuals external to the group.
How Should Human Resources Prepare?
As the majority of data relating to employees will be held and processed by the Human Resources (HR) department, it will be crucial for HR staff members to gain a strong working knowledge of the GDPR and how it will apply to their functions. Seemingly simple and standard administrative tasks may now require extra steps, such as gaining authorization to process an employee’s personal data, especially data that is not directly relevant to their employment.
Previously, this sort of request could be made as part of the employment contract but with the introduction of the GDPR this will change. Consent to process an individual’s personal data can no longer be gathered as a consequence of them signing a contract; as per Article 7 of the GDPR, Consent, this permission must now be separately requested. The relevant section of Article 7 states that “the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language”. While organizations have and can show legitimate cause to process certain data directly related to the employment of the member of staff, and HR will have to be very clear on what this data is and how they can and cannot process it, consent must be sought for the processing of any other personal data. This consent must also be freely given by the employee, and the GDPR notes that if the fulfillment of a contract is conditional on this “extra” consent being given, it may be determined that the consent was not freely given and is therefore not valid.
Employees must be made aware of the data that HR will process and why it is being processed. To facilitate this, HR should take note of the personal data that they process and the reasons for this processing. Auditing the data will help identify information that is being held but which is not directly related to the functions of the organization. Authorization to continue holding this information should be sought before the introduction of the GDPR, if desired, or else it should be deleted. It can also help identify old or erroneous information. The GDPR requires data to be kept up-to-date, stating that “every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted”.
As well as the appropriate administrative procedures, HR will need to ensure that the appropriate technical and IT protections are in place to secure employee data from access by unauthorized individuals. Systems will need to be reviewed and implemented to ensure data cannot be accidentally or unlawfully destroyed, lost, altered, disclosed, accessed, transmitted, stored or otherwise processed.
Failure to follow these rules may result in the group being found in violation of the GDPR and facing sanctions or fines.