The GDPR became law of the land across Europe one month ago. Data collection and flow analyses have been conducted; data processing agreements put in place; and of course, updated privacy policies have been distributed.
So, can employers forget about privacy for a while?
If only! The GDPR is not one deadline. Instead, it and its corollary legislation is the new normal, with ongoing compliance obligations. If you have employees in Europe and EEA (Norway, Iceland, Lichtenstein) or Switzerland, you must ensure the privacy of your workers is incorporated into all data handling and employee monitoring.
Remember that the way the GDPR defines personal data is exceptionally broad. It includes “any information relating to an identified or identifiable” EU employee. This could include a host of information that is commonly collected and maintained by employers, including, contact information, salary and benefits, badge data, photos, video and surveillance footage, among other things.
Here are some areas where employers overlook transparency and accountability obligations and really cannot afford to given the newly increased scrutiny from employees and authorities:
|During the hiring process with applicant / candidate tracking systems||Applicants submit data before they become employees and receive employee notices. Applicants should receive their own comprehensive candidate notice from the employer on the company’s job portal or wherever candidates submit their data for the first time. Don’t assume your ATS vendor has taken care of this for you.|
|Background checks||These are usually conducted before the individual receives an employee privacy notice and the specific rules vary greatly by country. Again, don’t assume your vendor has taken care of this for you.|
|Contractors/contingent workers||Non-employees should not get employee-style notices (but they are entitled to the same transparency and there should be no mention of payroll, benefits, etc. in the notices).|
|Compliance or ethics hotlines||If you haven’t yet, the time is right to update your global ethics hotline for compliance with not only new privacy law but compliance and anti-corruption law changes.|
|Acceptable Use Policies, IT Security Policies and BYOD or mobile devices policies||European employees have an expectation of privacy in their use of the employer’s systems which cannot simply be waived or negated. APAC and other employees have different expectations. Global policies very likely require update.|
|Any marketing initiatives, voluntary activities (e.g. product testing) or employee surveys ||Especially those concerning sensitive topics like diversity and inclusion or those that use employee photo images, require comprehensive advance disclosures about the intended uses of the information collected, etc. which cannot be adequately addressed in general employee notices.|
More Tips for Employers
- Remember: privacy notices are not enough! The notice requirement is only one of several requirements of GDPR compliance. Don’t forget employers must also implement and maintain:
- Local law compliant record retention policies and schedules for employee records
- Records of processing for HR processes
- Data Protection Impact Assessments for certain “high risk” HR activities
- Training programs for data handlers including HR and IT professionals
- Procedures for “Data Subject Access Requests” including from candidates, current and former workers
- Brief and easy to access incident response plan to be used in case of security breach or data loss, distributed to all employees
- Understand the role of HR data in M&A and restructurings.
- The spotlight on privacy rights and obligations is finally catching the attention of deal-makers with the implementation of GDPR. New or existing notices may or may not be appropriate depending on the circumstances. Data transfer agreements are always necessary before data is shared with a prospective buyer or bidder (or any party that is not the direct local employing entity). There is still no general right to share worker data with a third-party for “business reasons.”
- Bottom line: employees and parties on the opposite side of a corporate transaction are much more tuned into privacy-related issues as a result of the GDPR. Risk mitigation steps must be incorporated into transaction planning in order to avoid delays and unpleasant surprises.
- Don’t forget other regions!
- Privacy laws (often modeled after the European framework) now exist in nearly all commercially-significant countries and are coming online in some unexpected places.
- Now that you have a handle on the GDPR, consider moving on to address the rest of the world (particularly APAC) while the issues are still fresh in your mind.
Reach out to your Baker McKenzie employment lawyer for assistance with privacy compliance.