Is the General Data Protection Regulation (GDPR) also applicable to data of employees, just like with the data of clients or customers? The quick answer is yes. Under the GDPR, employee data gets the same protection as client or customer data. When designing GDPR compliant systems, organizations should not forget to evaluate and change the systems handling the data of internal employees.
Employees have the same rights as clients and customers when it comes to asking for copies of their saved information. Organizations can be penalized for mismanagement or misconduct in relation to employee data just as they would be if they mishandled or violated the rules for handling data of people not belonging to the organization.
What Should Human Resources Do?
Since the Human Resources (HR) department retains and processes the majority of data associated with employees, it is important that the HR staff members have full knowledge of the GDPR and how it affects their work functions. Apparently simple and regular administrative duties may now call for extra steps, for instance getting permission to process the personal information of an employee, in particular, data that isn’t directly related to their job.
In the past, this permission could be granted and made part of the employment contract. However, under the GDPR, that is no longer the case. Permission to process a person’s personal information can no longer be given as a result of signing an employment contract. According to Article 7 of the GDPR, consent should now be independently requested. It states “the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.”
Although organizations have a valid reason to process some data directly associated with employment, HR must be very transparent about what this information is and how it is processed. For any other private information, consent need to be obtained. The employee should also freely give the consent. The GDPR remarks that in case the approval of a contract is dependent on the provision of this “extra” consent, then the consent was not freely given and is consequently not legitimate.
Employees should know if HR will process data and why processing takes place. HR must take note of the personal information they process and the causes for processing. An audit will help to determine if the data being kept is directly associated to organizational functions. Authorization to keep this information must be acquired, or else it must be deleted. The audit can also help identify old or incorrect data. The GDPR demands that data are always updated, saying that “every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted.”
In addition to the proper administrative procedures, HR should make sure that the proper technical and IT controls are set up to protect employee data from unauthorized access. Systems must be examined to ensure that data cannot be accidentally or unlawfully manipulated, lost, shared, accessed, sent, stored or processed in any other way that is not detailed on consent forms.
The failure to follow GDPR Rules for employees could result in GDPR violation penalties.