KNEPPELHOUT & KORTHALS: 9 Ways the GDPR will Impact HR Data & Analytics10/20/2017
Privacy is hot. 81% of people analytics projects are jeopardized by ethics and privacy concerns. This number will only increase if companies do not comply to the new European privacy regulation, the General Data Protection Regulation (GDPR) which will be enforceable from 25 May 2018 onward.
This article will look at the formation and developments of the GDPR and give insight into the three most important privacy changes for employers. We will conclude with 9 practical tips on how HR analytics departments can prepare for the GDPR.
The purpose of the GDPR is to further harmonize a higher level of protection of personal data. This impacts the processing of personal data within businesses – especially HR data.
The GDPR constitutes major consequences for employment law as an employer processes the data of its employees (and potential employees) on a large scale. In addition, an employer may process employee data with regard to the work environment – for instance, data from cameras or employees’ internet behavior. In short, it is important for employers to know what to expect and how to deal with these regulations.
The formation of the GDPR
The European Commission has been working on amending the privacy regulation since January 2012, in order to make it fit for the digital era. The GDPR harmonizes the different privacy rules across the union. The result is a high level of EU-wide protection which will have direct effect.
This legislative process took a couple of years and it wasn’t until the end of 2015 that Member States reached an agreement on the main principles. In April 2016, the final version of the GDPR was published, which will be enforceable from 25 May 2018 (including in the UK)
Consequences of GDPR in the workplace
The GDPR contains a substantial number of ‘new’ standards and rules, the most important changes being:
- Additional rights for employees
- Data Protection Impact Assessment
- Data Protection Officer
We will briefly discuss these three topics below.
Employees will acquire a number of additional rights to reinforce control over their own personal data. For example, the right of access has been extended. This gives the employee the right to be informed about:
- How long the employer aims to keep the data;
- whether the data will be used for automated decision-making,
- whether the employer intends to transfer the data abroad, and if so,
- which safeguards will be provided in that context.
This puts extra responsibility on anyone working with personnel data.
Furthermore, the employer must inform the employee about the right to rectification and the right to lodge a complaint with a supervisory authority.
An individual employee also has a right to erasure. This provides, under specific circumstances, the right to be forgotten. The practical application is that employers need to provide clarity about the purpose the data is used for (see tip #9 below).
The Data Protection Impact Assessment (DPIA) is a way of analyzing potential privacy risks.
A DPIA should be carried out when the processing of personal data will most likely result in a high risk to the rights and freedom of the employee. A DPIA is therefore not always mandatory!
After assessing the risks, an organization must take measures to mitigate these risks.
A DPIA is mandatory in the following situations:
- Profiling: when a systematic and extensive assessment is made of personal aspects relating to natural persons, based on which decisions must be made that could have legal consequences for those natural persons.
- Data processing: when large-scale processing of special personal data is carried out;
- Monitoring efforts: when publicly accessible spaces are monitored systematically and on a large scale.
Besides the above-mentioned situations, there are no examples given in the GDPR of processing that is likely to entail high-privacy risks and thus require a DPIA.
For further, more detailed specifications of when a DPIA should be carried out, click here.
Under the GDPR, it is mandatory for certain controllers and processors to designate a Data Protection Officer (DPO). The controller is the owner of the data and determines who can process it. The processor is the body which processes personal data on behalf of the controller. This includes third parties that do data analysis on your HR data.
The GDPR requires the designation of a DPO in three specific cases:
- Where the processing is carried out by a public authority or body.
- Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale.
- Where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
In practice, this means that almost all large organizations have a Data Protection Officer. Whenever you work on an HR analytics project, make sure to involve your DPO!
This is also important, because being involved is part of the DPO’s job. His duties are, in particular:
Collecting information to identify processing activities;
Analyze and check the compliance of processing activities; and
Inform, advise and issue recommendations to the controller or the processor.
Even when the GDPR does not specifically require the appointment of a DPO, organizations may sometimes find it useful to designate a DPO on a voluntary basis.
9 Ways how the EU’s GDPR will Impact HR Analytics
So how does the GDPR apply to HR analytics? We listed 9 tips below:
The GDPR has a tangible impact on the analysis of HR data so make sure that everyone on the HR analytics team is up to date with the latest privacy rules.
2. Involve the Data Protection Officer
Your Data Protection Officer is a key stakeholder in any analytics project. He must estimate the impact of the GDPR on the organization’s current processes. When projects are not compliant with the GDPR or other data protection laws, the DPO will interfere. Make sure to involve him early on so you will avoid making costly mistakes.
3. Rights of data subjects
People whose personal data will be processed will acquire more and improved privacy rights under the GDPR. Be prepared for this so that you can respond correctly to requests and in a timely fashion. These rights include existing rights, such as the right of access and the right to rectification and erasure.
Also take new rights into consideration, such as the right to data portability. For this right, you must make sure that data subjects have easy access to their data and can pass these on to another organization if they so wish.
4. Processing lists
Under the GDPR, you are subject to accountability, which implies that you must be able to demonstrate that your organization acts in accordance with the GDPR. For example, when employees ask you to correct or erase their data, you must communicate this to the external organizations with which you shared their data. This may impact some – if not all – of your HR software providers
It is therefore important to keep a list of
which data you process,
for which purpose data is processed,
where you got the data from, and
with whom you shared data.
5.Data treatment security for third-party companies
When other organizations process your HR data, additional security requirements apply.
It is compulsory to agree with the data processor on a data processing agreement, which is in compliance with the requirements set in the GDPR, with data processors.
If a processor is established outside the European Economic Area, stricter requirements may apply.
A processor must always be able to apply state-of-the-art security measures.
The data processor should be certified in conformity with ISO27001/2 standards or other, similar standards. These should be defined in the data processing agreement.
6. Privacy by design
Familiarize your organization with the GDPR’s obligatory basic principles of “Privacy by design & privacy by default” and check how you can introduce these principles in your organization. “Privacy by design” means ensuring personal data protection from the onset of designing your products and services.
7. Privacy by default
“Privacy by default” means you must take technical and organizational measures to ensure that, by default, you only process the personal data that’s necessary for the specific purpose you wish to accomplish.
8. Lead supervisory authority
Does your organization have several business locations in different EU Member States? Or does your data processing have an impact in several Member States? Then, under the GDPR you will only need to cooperate with one privacy supervisory authority. This is referred to as the lead supervisory authority. If this applies to your organization, determine which privacy supervisory authority you would be subject to.
If there’s no employment relationship you need the data subject’s free and unequivocal consent to process its data. In addition, data can only be processed when it’s in line with the reason for collecting the data. Make sure that the use of employee data processing is clearly defined in the employment contract.
The GDPR has strengthened the requirements for consent. Therefore, you should evaluate the way in which you ask for, obtain and register consent, and adjust your approach if necessary.
A new rule is that you must be able to prove that you were given valid consent by the data subjects for processing their personal data and that it must be just easy for them to withdraw their consent.
It is important to note that an employee’s consent, given his subordinate position with respect to the employer, is not automatically considered to be free and unequivocal. For some data processing, such as monitoring employees’ health through wearables, free consent is not even possible! Once again, consult your DPO when you implement such technologies.
The implementation of the GDPR is in full swing. The WP29 guidelines, such as have now been published, can still be supplemented by the Member States so that the regulations are as far as possible in line with the market. It is therefore essential to follow the developments closely and – when you’re unsure about the implementation – to receive professional advice.
Arnold Birkhoff is partner at Kneppelhout & Korthals Lawyers. He is specialized in privacy and heads Kneppelhout & Korthals’ Labour Law team.