IDC Names Securiti a Worldwide Leader in Data PrivacyView
The European Union’s General Data Protection Regulation (GDPR) is designed to protect European Union’s residents in relation to the processing of their personal data. It treats natural persons including consumers as well as employees equally and grants them several rights and safeguards.
This article provides a complete guide to the Human Resource Management team of an organization aiming to comply with the GDPR. Let’s first look into some of the key provisions of the GDPR that a Human Resources Management team must consider while handling employees’ personal data:
As per Article 6 of the GDPR, data controllers must have a legal basis to process personal data. For most data processing happening under workplace circumstances, the legal basis cannot be the employee’s consent because of the imbalance of power between an employer and employee. The employee may worry that his/her refusal to consent may have severe negative consequences on his/her employment relationship. As a result, the employee’s consent cannot be considered to be freely given.
Employers can rely on an employee's consent only in very few exceptional circumstances such as to retain job applicant’s data for future roles as there are no adverse consequences on the employment relationship for refusal. Such consent must be freely given, specific, informed, unambiguous and documented.
However, in the context of work , employers should rely on other lawful bases as indicated in Article 6 of the GDPR. The most common legal bases relied upon by employers are the performance of the employment contract, the legitimate interests of the employer, and the compliance with a legal obligation to which the employer is subject. Employers must apply the principles of proportionality and subsidiarity regardless of the applicable legal basis for processing employees’ personal data.
Article 5 of the GDPR sets out 7 key data protection principles that all data controllers need to abide by. These data protection principles are:
The employer must ensure complete compliance with all of the above-mentioned data protection principles when it comes to handling employees’ personal data. This would include employers’ obligation to notify its employees of the existence of any monitoring activity (or any surveillance if carried out), the purposes for which the personal data is to be processed for and any other information necessary to guarantee fair processing.
Article 25 of the GDPR requires employers to implement the principles of data protection "by design and default" in all data processing activities and projects. As an example, where an employer issues devices to employees, the most privacy-friendly solutions should be selected if tracking technologies are involved. Data minimization must also be taken into account.
Article 35 of the GDPR requires data controllers to conduct data protection impact assessments where data processing is likely to result in a high risk to data subjects. In an employment context, the employer must carry out a DPIA before using new technologies or where data processing is likely to result in a high risk to the fundamental rights and freedoms of employees.
A DPIA is necessary for the following situations:
(1) Systematic and extensive evaluation of personal data or profiling.
(2) Processing on a large scale of personal data relating to criminal convictions and offences.
(3) Systematic monitoring of publicly accessible areas on a large scale.
(4) The use of newer technologies and biometric procedures.
As per Article 30 of the GDPR, the employer must maintain records of data processing activities under its responsibility. This obligation does not apply to enterprises employing fewer than 250 persons unless the processing it carries is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or relates to criminal convictions and offences.
These records can be audited at any time to see if the organization is compliant with the GDPR.
As per Articles 33 and 34 of the GDPR, employers must notify personal data breaches to the regulatory authority where a breach is likely to result in a risk to the rights and freedoms of employees. They must notify not later than 72 hours after having become aware of the breach. Where such risk is high, the employer must notify impacted employees without undue delay.
While sharing an employee's personal data with external third parties and vendors such as HR services, security contractors or medical insurance services, etc, the employer must assess their privacy practices and their third-party/vendor’s compliance with GDPR’s requirements. It is best practice to have contractual agreements containing safeguards for the protection of the transferred data.
Given cross-border data protection requirements in the GDPR (Article 44 to 50), companies must ensure that personal data transfers to a third country outside the EU take place only where an adequate level of protection is ensured and that the data shared outside the EU and subsequent access by other entities within the group remains minimally necessary for the intended purposes.
As per Articles 12 to 23 of the GDPR, an employee has the following rights in relation to his/her personal data:
(1) Right to Information
(2) Right of Access
(3) Right to rectification
(4) Right to erasure
(5) Right to restriction of processing
(6) Right to data portability
(7) Right to object
(8) Right not to be subject to automated decision-making.
Employers are required to fulfill the DSR requests of their employees within stipulated deadlines.
As per Article 88 of the GDPR, member states may provide for more specific rules with respect to the processing of employees’ personal data. Therefore, employers must also look into national and local employment laws relevant to their jurisdiction while handling employees’ personal data.
HR Management must meet the requirements of the afore-mentioned provisions of the GDPR. To achieve compliance, organizations need to operationalize their processes.
This can be done in the following ways:
Performing these tasks through manual methods can increase the risk of human error, not to mention the time and money to complete them. Organizations are advised to incorporate automation that can simplify and speed up the compliance process.
Securiti’s Sensitive Data Intelligence Solution can help your organization to discover, analyze, and protect large datasets. It offers you a 360 solution to all your compliance needs. See a demo of our Sensitive Data Intelligence solution and let Securiti help you on your road to GDPR compliance.
Securiti also offers automated data mapping, DSR rights fulfillment, data breach management and security controls to help you comply with the obligations required by the GDPR.
Yes, GDPR includes employee data when employers process it. Employers are subject to GDPR requirements regarding the processing of personal data of their employees.
Processing employee data under GDPR involves obtaining lawful consent or relying on other legal bases, providing privacy notices, safeguarding the data, and ensuring employees' rights are respected, including access to their data.
No, GDPR applies to all individuals whose personal data is processed by organizations, including employees, customers, clients, and any other data subjects.
Employees should be aware of their rights under GDPR, including the right to access their data, the right to be informed about data processing, and the right to request data erasure. They should also report any data breaches or privacy concerns to their employer.
Employee data includes personal information related to employees, such as names, addresses, contact details, payroll information, performance evaluations, and any other data collected in the employment context. It can also include sensitive data like health records or biometric data if relevant to employment.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row
San Jose, CA 95128