GDPR: Consent and Lawful Basis for Processing Employee Data
With so much attention being paid to the privacy and protection of customers’ personal data, it can be easy to think of employee and applicant information as having less importance.
However, the GDPR does not treat these categories with more lenient rules than those which apply to the personal data of the valued customers of covered businesses. Employees can often be the source of issues raised directly with companies, as well as with regulators.
The risk of financial penalties can be as much a reality for companies found to be in violation of the GDPR in regard to its handling of employee data.
But, despite the fact that the GDPR has been in force since May, 2018, many businesses remain unsure of how the law affects HR activities.
In this article, we take a look at the legality of processing employee data, transparency, data breaches and accountability, as well as individuals rights and data protection.
First, Peter Borner, President and CEO of The Data Privacy Group answeres a question that is still being asked by some employers, even after almost 18 months of the GDPR becoming law:
Do we need to obtain consent to store and process employees’ personal data?
Moving on to the broader aspects of handling HR related data - there are eight key points to check, when evaluating
Rights of Individuals
Lawful Basic for Processing
Data Protection by Design
Sharing and Transferring PersonalData
1) Rights of Individuals
It is vital that HR personnel are familiar with the legal rights afforded to employees, applicants and contractors under the GDPR. HR teams should be trained to recognize and deal with individual requests within the strict time frames set out in GDPR law. The following steps should be taken:
Provide procedural guidance and training on how to recognize and respond to individual data protection requests.
Collaborate with IT personnel to conduct system testing and ensure that processes are in place to respond appropriately to individuals’ rights, both at a practical and technical level.
Set official data retention time frames for specific categories of HR data and schedule data archiving/deletion processes in accordance with these time frames.
Individuals engaged by the company, whether they are employees, job applicants, contractors or interns, must be provided with detailed, granular and accessible information that describes how their personal information is used. Typically, this will be contained within a Privacy Notice, which should be made available to individuals at the commencement of the relationship.
GDPR compliance steps should include:
Review, and where necessary, update employee and applicant-related privacy notices to meet detailed information requirements.
Implement procedures to ensure privacy notices are provided at the appropriate time, kept up to date with new processing activities, and version-control records are maintained.
3) Lawful Basis for Processing
A “lawful basis for processing” must be established for each identified HR purpose, based on at least one of the strictly prescribed legal grounds provided in the GDPR. Employee consent cannot be relied upon, since such consent is a) hard to prove, and b) an unattractive option, given that the employee’s right to withdraw consent must be honoured, within the context of an employment relationship ending.
An alternative lawful basis, such as the company’s legitimate interests, or to facilitate the performance of a contract, may be required instead. At a minimum, businesses should:
Conduct an audit and allocate a specific lawful basis for processing to each HR data processing activity and purposes. This should include processes that involve special categories of personal information, such as sensitive data.
Ensure that GDPR-compliant legal grounds are documented within privacy notices.
Update all policy and contractual documents, particularly contacts of employment, making sure that all references to “employee consent” are removed, as legal basis for processing.
4) Data Protection By Design
Covered businesses are required to demonstrate "data protection by design and default" within their internal systems, whereby the minimum amount of data is retained, for the shortest possible period of time, is an inherent factor in all HR functions.
The following combination of technical, organizational and practical undertakings can help to achieve this:
Provide clear guidance, plus a reporting structure to evaluate the necessity and scope of all HR data processes.
Establish strict HR data retention limits and liaise with IT personnel to ensure implementation on a technical level. (This should also be applied to data shared with vendors).
Consider whether the company needs to appoint a formal Data Privacy Officer (DPO). The GDPR states that the appointed DPO must be allowed to act independently and cannot be fired or penalized for performing their data privacy/protection duties. The DPO can be an existing employee, provided that their existing role does not conflict with their DPO duties.
5) Sharing and Transferring Personal Data
There are some cases where employee data needs to be shared with external service providers, such as companies that provide cloud computing platforms, HR database applications, management of employee benefits, or for payroll processing.
In such situations, businesses will need to implement new contractual arrangements with each vendor, to ensure GDPR-compliant data processing practices will be adhere to.
The following essential steps show be followed:
Conduct regular audits of the flow of personal data between the company and external service providers, whether those recipients are data controllers or data processors, and implement enhanced data sharing agreements.
Map the flows of HR personal data to external vendors and update service contracts to reflect any new requirements.
Strengthen any formal on-boarding process for vendors to include both privacy classification and vetting assessments, to ensure they can comply with their data privacy and protection obligations in practice. Regular reviews should be scheduled.
Currently there are no fundamentally changes to the transfer of personal data across borders, within the GDPR. However, companies that are re-evaluating their data sharing arrangements as described above, would do well to consider the continued adequacy of their international data transfer procedures, such as Standard Contractual Clauses (SCCs).
A particular focus should be on:
Mapping of international flows of HR data, keeping in mind that simply accessing information abroad constitutes a “transfer” according to the GDPR.
Ensuring that whenever personal information is transferred outside the European Economic Area (EEA), each recipient, whether a group entity or external third party, is covered by a valid data transfer mechanism.
Maintain a database of processing activities of personal data recipients and related data transfers, which can be disclosed to individuals upon request.
6) Data Breaches
Data breaches have been the cause of disastrous consequences for businesses around the world long before the GDPR came along. But, new data protection laws have dramatically increased the price that unfortunate companies pay, when such an event occurs.
Businesses are now required to deploy robust defences against data loss, and implement action plans, to quickly detect, quarantine, mitigate and respond to security breaches in line with a formal data privacy and protection policy, and swiftly report such incidents to their regional data privacy regulator within 72 hours.
It is therefore vital that HR personnel are made fully aware that the term "data breach" is not limited to a malicious cyber-attack, or the misplacement of paper-based personnel files. Security breaches can often be triggered by innocent employee actions e.g. forwarding an email containing sensitive personal data.
Increasingly, data breaches stem from “phishing scams” whereby cyber-criminals masquerade as a trusted individual, organization or other respected entity. Their primary objective is to trick their target into disclosing confidential information such as login credentials, bank account or credit card details and personally identifiable information.
Unfortunately, data breaches are inevitable in our connected world. However, it is at least possible to reduce the risk of a data breach by taking the following steps:
Work with IT personnel, to implement a clear (and well-rehearsed) security breach procedure. This can help to mitigated a data breach quickly, and report the incident to the local regulator within the required 72-hour period.
Ensure that HR systems and functions are adequately covered by appropriate technical and organizational security protections.
Adopt a need-to-know policy for access to certain data repositories. Apply strong data encryption to all data-in-motion.
Provide regular guidance and training for all staff members who manage personal data.
Test and re-evaluate security measures periodically, in the same way much as fire drills, to test the company’s ability to respond to different scenarios.
7) Be Accountable
It is impossible to have a passive attitude when it comes to GDPR compliance. Every department within the company needs to demonstrate compliance with data privacy and protection regulations - particularly the HR department, since it is dealing with the personal - and potentially sensitive data of individuals that make up the workforce of the business.
HR personnel should therefore work towards a high level of GDPR compliance by implementing strong data protection policies and effective training, and conduct regular audits and reviews of these policies and training sessions.
Overall, companies should:
Maintain comprehensive records of all data processing activities in accordance with GDPR regulations.
Implement/update employee-related policies and training, including all relevant IT procedures.
Ensure that internal procedures and controls are subject to regular review and testing. Results and remedial measures should be fully documented.
NOTE: This article is provided for information purposes only and does not constitute legal or professional advice. The Data Privacy Group recommends that businesses engage the services of an experience data privacy/data protection practitioner when preparing for compliance with data protection and privacy legislation.