You may have noticed that there is a big data privacy initiative coming out of the EU in the very near future – May 25, 2018, to be exact. It’s called the General Data Privacy Regulation (or GDPR) and it applies to any company that does business with or employs EU citizens. If your company is processing the personal data of any EU citizen (also known as ‘data subjects’), you are subject to GDPR. If that doesn’t stop you dead in your tracks, it probably should.
You may be a company outside the EU that is thinking of waiting this one out to see how it all unfolds. It will be unfolding before you know it and the regulators are not expected to give a pass to companies that say, ‘We didn’t know’ or ‘We weren’t sure how it would apply to us’ or ‘We wanted to wait and see how it works’. And to prove how serious regulators are, companies that are found to be out of compliance may be fined up to 4% of annual global revenue (NOTE: not profit, revenue) or €20M, whichever is larger. And it won’t be solely directed at obvious targets such as Facebook. It applies to companies both large and small.
Have I caught your attention yet? I hope you are getting the idea that GDPR is something you cannot ignore. Do you want to learn more?
In this article, I’d like to narrow our focus to employees and leave customers for another discussion. I’m also going to avoid quoting heavy regulatory language in favor of helping you think through what GDPR could mean to your daily work life.
If you don’t have any EU citizen employees or employees living in the EU, you will still want to read this if there is the slightest chance that you expect to at some point.
Whose personal data are protected? Employees who are EU citizens, wherever they live, and employees who are non-EU citizens living in the EU
Did you notice the emphasis in that section header? You read that right. If you were hoping to avoid the whole thing by sending someone from your home office over to the EU, unfortunately, that won’t work. Expats living in the EU are also covered by GDPR.
It also means that EU citizens in your employ who are not living in the EU are still covered, even when they are not in the EU. So if they are in your home office outside the EU, GDPR still applies.
If you already have (or expect you will have) employees in the EU or employees who are EU citizens living anywhere, it’s best to keep reading.
Who in a company is really responsible for GDPR compliance around employee personal data?
First, essentially everyone is responsible – and it’s an ongoing responsibility. GDPR compliance doesn’t just happen at a point in time, it’s ongoing. That being said, these general groups care a lot about GDPR – HR (including but not limited to recruiting, relocation, benefits, payroll), Risk Management, DPOs & Legal, CTOs, CIOs, and International Business Strategy Teams. Either they are all tasked with finding ways to comply or they may be frustrated by having to wait for other teams to work through compliance so they can keep doing their jobs. That’s not to say there aren’t more groups who really care, but these specifically will be (or should be) very engaged when it comes to employing people in the EU. Don’t assume that an employee won’t be concerned about how you manage their data – they do care and they will turn you in if you’re not compliant.
Let’s take these aforementioned groups one at a time.
HR – It goes without saying that HR will be intimately involved in GDPR compliance. After all, HR – and outside data processing vendors that support HR – collect all manner of personal data about employees, some of which is used internally, and some of which is shared for outside processing for things such as background checks, visas, relocation, even payroll.
If your approach to managing international employees has been spreadsheets shared through email, underpinned by manual processes, you’ll want to find another solution. Either that, or expect to hire more people or get less of your regular HR work done as the team strives to manually comply.
RISK MANAGEMENT, LEGAL, & DPOs – Of all the departments that are paying attention to GDPR, Risk Management and Legal are most likely at the forefront. Given the nature of what they do, they have likely been putting together processes around how customer personal data will be protected for GDPR – possibly for many months now. Data Processing Officers ( DPOs), who oversee the data protection responsibilities within the organization and ensure compliance with privacy regulations and laws, may already have been appointed.
These groups may also be planning for how employee personal data will be protected, or they have relied on HR to figure out how the company will comply. Individuals within Risk Management and Legal are also most likely the ones that will be responsible for reporting out if the company is asked to demonstrate compliance. They will be very interested in being able to respond to ‘Subject Access Requests’ (SARs) – in a very timely manner (20 days), as required by GDPR – from employees who want to know things such as: What of my personal data do you have? Where is it stored? Why do you have it? Who has access to it? When will you delete it? And by the way, when did I say you could do that with my data? Employees can ask these questions and will have a legal right to a timely response.
CTOs – CIOs – Sometimes companies just want a technical solution for managing their employee data. To do that, it’s helpful if the processes for collecting data, opting in employees, securing data, managing access to employee data, and sharing employee data are controlled, documented, and reported on through a scalable platform that can grow with the business and handles things in as automated a way as possible.
INTERNATIONAL BUSINESS STRATEGY TEAMS – International Business Strategy Teams are looking at how the company can take advantage of international growth opportunities. They rely on HR to find rock star employees in new markets (or get the candidates they’ve already found onboarded ‘yesterday’). They also look to Risk Management and Legal to help them understand what could go wrong, to pave the way with contracts, to identify and overcome any potential legal obstacles, and to help them push the company forward into new opportunities. They generally do not appreciate hold-ups from HR, slow hiring processes, or a risk management team that is telling them what they can and can’t do, but is perhaps too busy to take care of the details.
Now that we’ve identified the key players, it’s time to move into more specifics around what companies will be required to do.
What are some of the key GDPR requirements around employee (and candidate) personal data?
OPT-INS & ACKNOWLEDGEMENTS – First of all, just like with customer personal data, companies will be required to obtain an ‘opt-in’ or acknowledgement from employees showing they agree to what data of theirs the company will collect, how it will be used and for what business purpose, who will have access to it all the way down the vendor supply chain, and how long it will be retained. That includes how the company’s vendors will use it (for instance global payroll or relocation companies).
To do this, the company will have to share its most current privacy policy with the employee, gain their opt-in or acknowledgement, record that they have gained it, and repeat the process when the privacy policy is updated for any reason (such as new vendors, retention policy changes, etc.). The company must then be able to present – on-demand – proof that the employee agreed to sharing their personal data for the business purposes for which it is being used. And the company must also show it is using employee personal data only in the way the employee gave them permission to use it and that there is a clear business purpose. Because of the power relationship between employer and employee, consent alone isn’t enough for lawful processing of data, legitimate business use must be applied and documented.
Candidates also share a certain amount of personal data with prospective employers, so they too will need to sign a candidate version of the opt-in, again with a tracking system to log what they agreed to and when. If the candidate is not hired, their personal data must be removed. If they are hired, they will then move on to opt-in to the employee version of the privacy policy.
Candidates should also have the option of opting out of automated resume reviews and profiling. Some lawyers are suggesting that candidates have the right for a human to evaluate their application and resume instead of a machine.
In summary, what needs to be done for tracking employee and candidate opt-ins? Between the different teams, the company will need to:
- Keep privacy policies up to date, with information on what data is collected, for what business purposes, and how long it is kept
- Make sure that the company knows which vendors have access to employee personal data and what data they have access to, verify those vendors are also compliant, and list them in the privacy policy stating how they will use the personal data they have in their possession. Update privacy policies if new vendors are added or if there is a business need to collect and process additional personal data
- Know who the employees and candidates are so they can review and sign the applicable policy, including any revisions
- Keep track of which policy was signed by whom (keeping in mind that they will need to accept any updated applicable policies)
- Show proof to any employee who asks that they did, indeed, sign the policy
- Show proof to outside regulators that employees sign privacy policies
ACCESS TO DATA ON A NEED-TO-KNOW BASIS – Another key element of GDPR is the rule that people within the company (HR, for instance), can have access only to the data they need to do their jobs. For instance, payroll would need social security numbers, but recruiting would not. Relocation might need passport and visa numbers, but Benefits would not. And if an HR team member’s role changes, it’s possible their access to data will change, too. In that case, access must be updated.
If international employee information is kept in one big spreadsheet that all interested parties can access, that will have to be changed. And a series of smaller spreadsheets is also not the answer.
In summary, what needs to be done for tracking access to employee and candidate personal data? Between the different teams, the company will need to:
- Clearly define what data are being collected
- Clearly outline who on internal teams has access to which data points, in what circumstances they have access, and when and how that access is revoked
- Identify which vendors will have access to data, what data will they have, for how long, the specific business purpose, proof of secure data storage, and proof that the data is revoked once it’s no longer needed
- Maintain proof of how access is controlled, who had access to what data and when, and how that access is tied to privacy policy opt-ins
- And in a corollary, who does NOT have access to specific data and proof that they do not
- Be able to show proof of data access procedures
DATA RETENTION FOR ONLY AS LONG AS IT IS NEEDED or THE RIGHT OF ERASURE – And besides restrictions around who has access to the data, there is also a requirement that the data are removed as soon as they are no longer needed. Logistically speaking, this could get complicated – knowing what information has been collected, why it was collected, who has access to it, in what capacity they have access, who they may have shared it with, when it needs to be removed, what the local regulations are regarding data retention, and proof that it has been removed. For all affected employees, anywhere they are.
In summary, what needs to be done regarding data retention? Between different teams, the company will need to:
- Define its data retention policies
- Track what data is being stored and its retention parameters
- Remove data when there is no longer a valid business or compliance need to hold it, including for outside vendors
- Verify that data have been removed
- Be able to show that data have been removed
Data security is at the heart of GDPR
While it is required that companies obtain permission to process employee private data in all the ways mentioned above, it is equally important that any data is secure from the moment it is obtained to the moment it is removed. What are some ways to do this?
- Keep employee data secure where it is stored. This could mean storage at top global providers in the EU with backup disk storage
- In storage, use double encryption so even the cloud provider can’t read the data
- Use pseudonymization, which means key identifying fields within a data record are replaced by one or more artificial identifiers – or pseudonyms – so the data is not associated with an identifiable data subject while in storage
- Employ multi-factor authorization for anyone with permission to access the data
- Use end-to-end encryption on all data transfers between user browsers and servers and for internal communications between backend services
- Require that any outside vendors processing employee data are also using the same level of security
- Keep track of all employee data activity with logs and alerts – be alerted to sensitive activities as they happen and pull reports for regular review
Beyoned GDPR – Many countries are following suit
In addition to the EU countries implementing GDPR, many other countries are also imposing stricter data privacy regulations. For instance, China is implementing its own set of rules, which are every bit as strict as the EU’s. In fact, since GDPR and other regulations around the world are so far-reaching, many companies will eventually treat all employee data in the same way as EU citizen data and protect it accordingly. It’s a lot simpler than setting up different systems for different employee groups.
Can’t this just be handled through a manual process?
We’ve heard from some companies who are planning to handle employee data protection manually. At first blush, this may appear like a viable solution, until you begin to think through all the phases of protection and requirements for proof of compliance. Factor in employees coming and going, multiple countries, people moving into new positions, the potential for SARs and providing proof to regulators, and it quickly becomes overwhelming.
Do you feel the weight of GDPR crushing your team’s productivity yet?
Manual processes are not the way to manage GDPR compliance. That’s why we’ve developed Globig+. The Globig+ platform takes the burden of manually managing GDPR and other employee data privacy regulations off your team’s shoulders and safely holds data in an end-to-end, fully encrypted and modularized data base located in secure servers in the EU. With Globig+ you can:
- Easily present updated privacy policies and track opt-ins
- Create your own roles and permissions, decide who gets access to what information
- Assign, edit, track, and revoke roles and permissions
- Easily remove data when no longer needed – remove it from the system and automatically remove access to it for anyone who had it
- Quickly respond to SARs and show proof of compliance to regulators
Get out of spreadsheets and onto Globig. We’ll help you manage your GDPR compliance and save your teams from being crushed by it.
Want to learn more? We’re ready to help.
