On May 25, 2018, the European Union’s (EU’s) General Data Protection Regulation (GDPR) goes into effect.  This new regulation expands provisions for data collection, retention, and access rights for European based employees and are much more restrictive than in the past. The GDPR was initially adopted in April 2016, and the regulation and directive were published at that time. It replaces the 1995 data protection directive.  The following is a brief discussion of the directive.

Employee data may cover current, former, or prospective EU employees as well as interns and volunteers. It may come from assorted places and be processed in less traditional contexts.  It may be located in the cloud, the U.S., or elsewhere outside the EU.

Planning for compliance to these rules requires employers to ask the following basic questions:

·        What categories of EU employee data are processed?

·        Where does it comes from?

·        In what context and where is it processed and maintained?

·        Who has access to it?

·        Are the uses and disclosures being made of that information permitted?

·        What rights do EU employees have with respect to that information?

This data can be found in a number of usual HR systems from HRIS to applicant tracking systems to benefit systems to internal employee directories and unusual locations such as customer relationship manager (CRM) software, IT security, and other types of software. 

Consider, for example, the use of a travel app that allows employees to book travel, conferences, and other reservations.  This data may contain personally identifiable information from preferences in room to types of food to types of events to automobile data, etc. 

Or consider the more innocuous.  If the talent management or training portal uses video presentations featuring internal trainers’ videos, these videos may contain employee personal data – the trainer’s photo and perhaps, work contact information. 

What is the definition of personal data under the regulations?  Under the regulations the data is defined as:

 “any information relating to an identified or identifiable” EU employee. Identifiable simply means the employee can be “identified directly or indirectly… by reference to an identifier… or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.”

This data would include “name, address, driver’s license number, date of birth, passport number, vehicle registration plate number, phone number, photos, email address, id card, workplace or school, and financial account numbers.   Moreover, it also includes  gender, personnel reports (including objective and subjective statements), recruitment data, job title and position, work address and phone number, salary information, health and sickness records, monitoring and appraisals, criminal records, rent, retirement or severance data, and online identifiers such as dynamic IP addresses, metadata, social media accounts and posts, cookie identifiers, radio frequency tags, location data, mobile device IDs, web traffic surveillance that identifies the machine and its user, and CCTV images.”  This list seems daunting for employers.

Special categories of employee data (i.e. racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning an employee’s health, sex life, or sexual orientation, and biometric and genetic data) require heightened levels of protection under the GDPR.    If the employer is using recruiting tools to identify candidates, such as bots that collects data on the candidate or algorithms to identify successful candidates on the web, the employer has to ensure that the data is secured.

The full text of GDPR has 99 articles regarding the rights of individuals and obligations placed on employers covered by the regulation. These include allowing people to have easier access to the data employers have concerning them, a new fines regime, and a clear responsibility for employers to obtain the consent of people they collect information about.  Therefore, if a U.S. employer has presence in Europe, HR should work with legal counsel to ensure compliance with the GDPR. 

Source:  Jackson Lewis 1/10/17, Wired, Allen & Overy 2/17