GDPR and Employee Personal Data

Protected Health Information Breach Report

There are still many questions that people ask regarding the General Data Protection Regulation (GDPR), which will be enforced soon. This article will probe into the question “Does the GDPR apply to employee related data?”

The quick reply to this question is yes. The GDPR provides the same protection to employee data as with client or customer data. Hence, organizations that are updating their systems to comply with the GDPR must also include the systems that process internal staff or employee data. The employees’ rights to requesting copies of their information are also the same as with clients and customers. Organizations that mismanage employee data could be penalized just as when they violate the rules on managing data of clients or customers.

The Human Resources (HR) Department needs a strong working knowledge of the GDPR considering that it handles majority of the data related to employees. The changes may mean adding extra steps to the seemingly simple administrative tasks, such as requesting authorization to process employee’s personal data especially the information that are not work related.

In the past, the employee’s personal data could be easily made a part of the employment contract. But this is no longer the case with the GDPR in force. Article 7 of the GDPR no longer allow processing of an individual’s personal data as part of signing a contract. Consent to process employee personal data must be separately requested now. The request must be made clearly distinguishable from other matters. While HR has a legitimate cause to process certain data related to employment, the employee must clearly understand which data it is and how HR can and cannot process it. The employee must also freely give his consent to use his data. If the GDPR sees that the giving of consent is conditional to the fulfillment of a contract, then the consent may be deemed not freely given and therefore invalid.

The HR should clearly identify the personal data they process and the reason for it. An audit will help identify employee information the HR is keeping, which are not directly related to employment. The employee should give his consent for HR to keep those information before the GDPR is imposed. Otherwise, HR must delete the data. The audit can also help identify obsolete or erroneous information. The GDPR requires organizations to keep up-to-date data. Reasonable step should be taken to ensure that inaccurate personal data are rectified or deleted.

HR should implement the necessary technical and IT protections to prevent unauthorized access of employee data. Data must not be accidentally or unlawfully destroyed, altered, lost, stored, disclosed, transmitted or otherwise processed.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

In case HR violates any of the rules discussed, it could mean GDPR violation, which in turn result to fines and sanctions.