This Month Only! >> $20 off and a FREE SHRM tote with your membership and code TOTE2018!
Sign up for free email newsletters and get more SHRM content delivered to your inbox.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 12 cities across the U.S. this spring.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
Make data available to employees; be transparent and accountable
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
PHOENIX—Employers doing business in the European Union (EU) or who have employees who are EU residents need to comply with the Global Data Protection Regulation (GDPR), which takes effect May 25. Employees will be requesting copies of their employee data, and these businesses need to be transparent and accountable, according to Grant Petersen, an attorney with Ogletree Deakins Tampa at the firm's Workplace Strategies conference on May 11.
As hacking increases worldwide, the GDPR was passed to regulate how covered employers can gather, store and use sensitive employee data. Fines for noncompliance are steep: 20 million Euros or 4 percent of worldwide revenue, whichever is higher, noted Hendrik Muschal, an attorney with Ogletree Deakins in Berlin.
The GDPR applies to EU residents, not citizens, Petersen emphasized, saying there's no grace period—employers must be in compliance as of May 25. He noted that if U.S. employers recruit from the EU, they also are covered.
Ireland's Data Protection Commissioner Helen Dixon will oversee the pan-EU operations of companies, making her one of the world's most powerful regulators under the GDPR, according to the Financial Times. Dixon understands that many employers are not yet compliant, Petersen said, but, he added, she has said regulators will be looking particularly closely at employees' right to obtain copies of their data, as well as employers' transparency and accountability.
1. Prepare for Employees to Obtain Copies of Data
EU employees have the right under the GDPR to know what data companies have about them and make copies of the data. They also may correct, complete or erase the data, if necessary, Petersen noted. That may even include inaccurate facts, but not personal opinions, in performance reviews, he said.
Employees want to know why they weren't given a raise, weren't promoted or were fired, he said, and they'll be requesting their data even more after the GDPR takes effect for clues. Employers must provide the information to the employees within a month of their request. Theoretically, the workers could say they want to see every e-mail they've ever sent. While the employer can ask what specifically the employee is seeking and for a time frame, the broad data access requirement provides employers with an incentive not to keep the data, he said.
Employers must not only comply with the GDPR but the stricter requirements for data in the EU's 28 different countries, Petersen noted.
In addition, businesses must comply with the countries' labor laws, which have different data retention requirements. He said that some of these laws require the immediate deletion of employee data, while others specify that pay rate records must be kept permanently.
Agreements with works councils must be satisfied as well, Muschal noted.
Works councils will be on the lookout to see if the GDPR, country labor laws and works councils agreements are being met, Petersen observed. So will terminated employees, who are likely to bring privacy actions in the EU, he predicted.
[SHRM members-only Express Request: EU GDPR]
2. Be transparent.
Transparency means more than just notices on websites about GDPR for the public. It also includes separate notices for employees and additional notices for applicants, Petersen said.
He said that the notice to employees should specify what data the employer is collecting about them, including diversity and health information. It should explain:
3. Be accountable.
HR needs to have processes and documentation in place to prove GDPR compliance. Consent from employees generally won't work, Petersen said.
Instead, there must be another justification for having employee's data, such as that the gathering of it is necessary to:
While a U.S. legal obligation, such as gathering gender and race data, isn't an EU legal obligation, it might be a legitimate interest, he suggested. Petersen said that employers will rely to a large extent on the legitimate-interest justification but said it should be well-documented.
Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Become a SHRM Member
SHRM’s HR Vendor Directory contains over 10,000 companies