3 GDPR Compliance Steps Explained

Make data available to employees; be transparent and accountable

By Allen Smith, J.D. May 15, 2018
LIKE SAVE

PHOENIX—Employers doing business in the European Union (EU) or who have employees who are EU residents need to comply with the Global Data Protection Regulation (GDPR), which takes effect May 25. Employees will be requesting copies of their employee data, and these businesses need to be transparent and accountable, according to Grant Petersen, an attorney with Ogletree Deakins Tampa at the firm's Workplace Strategies conference on May 11.

As hacking increases worldwide, the GDPR was passed to regulate how covered employers can gather, store and use sensitive employee data. Fines for noncompliance are steep: 20 million Euros or 4 percent of worldwide revenue, whichever is higher, noted Hendrik Muschal, an attorney with Ogletree Deakins in Berlin.

The GDPR applies to EU residents, not citizens, Petersen emphasized, saying there's no grace period—employers must be in compliance as of May 25. He noted that if U.S. employers recruit from the EU, they also are covered.

Ireland's Data Protection Commissioner Helen Dixon will oversee the pan-EU operations of companies, making her one of the world's most powerful regulators under the GDPR, according to the Financial Times. Dixon understands that many employers are not yet compliant, Petersen said, but, he added, she has said regulators will be looking particularly closely at employees' right to obtain copies of their data, as well as employers' transparency and accountability.

1. Prepare for Employees to Obtain Copies of Data

EU employees have the right under the GDPR to know what data companies have about them and make copies of the data. They also may correct, complete or erase the data, if necessary, Petersen noted. That may even include inaccurate facts, but not personal opinions, in performance reviews, he said.

Employees want to know why they weren't given a raise, weren't promoted or were fired, he said, and they'll be requesting their data even more after the GDPR takes effect for clues. Employers must provide the information to the employees within a month of their request. Theoretically, the workers could say they want to see every e-mail they've ever sent. While the employer can ask what specifically the employee is seeking and for a time frame, the broad data access requirement provides employers with an incentive not to keep the data, he said.

Employers must not only comply with the GDPR but the stricter requirements for data in the EU's 28 different countries, Petersen noted.

In addition, businesses must comply with the countries' labor laws, which have different data retention requirements. He said that some of these laws require the immediate deletion of employee data, while others specify that pay rate records must be kept permanently.

Agreements with works councils must be satisfied as well, Muschal noted.

Works councils will be on the lookout to see if the GDPR, country labor laws and works councils agreements are being met, Petersen observed. So will terminated employees, who are likely to bring privacy actions in the EU, he predicted.

[SHRM members-only Express Request: EU GDPR]

2. Be transparent.

Transparency means more than just notices on websites about GDPR for the public. It also includes separate notices for employees and additional notices for applicants, Petersen said.

He said that the notice to employees should specify what data the employer is collecting about them, including diversity and health information. It should explain:

  • Why the data is being collected.
  • How long the data will be retained.
  • How employees can go about getting the data they want to see.

3. Be accountable.

HR needs to have processes and documentation in place to prove GDPR compliance. Consent from employees generally won't work, Petersen said.

Instead, there must be another justification for having employee's data, such as that the gathering of it is necessary to:

  • Enter into a contract.
  • Fulfill a legal obligation in the EU.
  • Protect a legitimate interest that outweighs the privacy rights of employees.

While a U.S. legal obligation, such as gathering gender and race data, isn't an EU legal obligation, it might be a legitimate interest, he suggested. Petersen said that employers will rely to a large extent on the legitimate-interest justification but said it should be well-documented. 

Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.

 


LIKE SAVE

Job Finder

Find an HR Job Near You
Post a Job

SPONSOR OFFERS

Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect