The GDPR became law of the land across Europe one month ago. Data collection and flow analyses have been conducted; data processing agreements put in place; and of course, updated privacy policies have been distributed.
So, can employers forget about privacy for a while?
If only! The GDPR is not one deadline. Instead, it and its corollary legislation is the new normal, with ongoing compliance obligations. If you have employees in Europe and EEA (Norway, Iceland, Lichtenstein) or Switzerland, you must ensure the privacy of your workers is incorporated into all data handling and employee monitoring.
Remember that the way the GDPR defines personal data is exceptionally broad. It includes “
Here are some areas where employers overlook transparency and accountability obligations and really cannot afford to given the newly increased scrutiny from employees and authorities:
uring the hiring process with applicant / candidate tracking systems
Applicants submit data before they become employees and receive employee notices. Applicants should receive their own comprehensive candidate notice from the employer on the company’s job portal or wherever candidates submit their data for the first time. Don’t assume your ATS vendor has taken care of this for you.
These are usually conducted before the individual receives an employee privacy notice and the specific rules vary greatly by country. Again, don’t assume your vendor has taken care of this for you.
Non-employees should not get employee-style notices (but they are entitled to the same transparency and there should be no mention of payroll, benefits, etc. in the notices).
Compliance or ethics hotlines
If you haven’t yet, the time is right to update your global ethics hotline for compliance with not only new privacy law but compliance and anti-corruption law changes.
Acceptable Use Policies, IT Security Policies and BYOD or mobile devices policies
European employees have an expectation of privacy in their use of the employer’s systems which cannot simply be waived or negated. APAC and other employees have different expectations. Global policies very likely require update.
Any marketing initiatives, voluntary activities (e.g. product testing) or employee surveys
Especially those concerning sensitive topics like diversity and inclusion or those that use employee photo images, require comprehensive advance disclosures about the intended uses of the information collected, etc. which cannot be adequately addressed in general employee notices.
More Tips for Employers
Records of processing for HR processes
Training programs for data handlers including HR and IT professionals
Brief and easy to access incident response plan to be used in case of security breach or data loss, distributed to all employees
Understand the role of HR data in M&A and restructurings.
The spotlight on privacy rights and obligations is finally catching the attention of deal-makers with the implementation of GDPR. New or existing notices may or may not be appropriate depending on the circumstances. Data transfer agreements are always necessary before data is shared with a prospective buyer or bidder (or any party that is not the direct local employing entity). There is still no general right to share worker data with a third-party for “business reasons.”
Now that you have a handle on the GDPR, consider moving on to address the rest of the world (particularly APAC) while the issues are still fresh in your mind.