No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Don’t Overlook This Aspect of the GDPR

by Kevin Gibson
October 6, 2017
in Data Privacy, Featured
concept of information on multiple devices

What Compliance Professionals Need to Know About Employee Data

The deadline for the General Data Protection Regulation (GDPR) is on the horizon, and a customer’s information is not the only thing that should be on a compliance practitioner’s radar. After all, the mishandling of an employee’s information can pose as much financial risk – therefore, it is important to understand the potential GDPR issues from extended rights and burden of proof to social media snafus and the need for defined policies.

Heads up: There’s more to the General Data Protection Regulation (GDPR) and GDPR compliance than meets the eye. That’s because the regulation — which takes effect on May 25, 2018 — doesn’t simply cover personally identifiable information (PII) belonging to the customers of corporate and government entities that are headquartered and/or do business in the European Union (EU). It also applies to employee PII which, as with customer PII, encompasses everything from telephone numbers to gender preferences.

Neglecting to address the employee PII aspect of the GDPR is not simply foolhardy; it puts organizations at risk for financial repercussions. EU authorities have a record of imposing penalties for noncompliance with mandates, as well as for doing so early on. Their approach to the GDPR will be no exception. But just as significant, in today’s economic climate, PII is increasingly viewed as a valuable commodity and as individuals’ personal property. Employees and former employees want control over this property and will undoubtedly capitalize on opportunities to gain it as afforded by the GDPR. Accordingly, it’s important to clarify key issues surrounding the GDPR and employee data.

Extended Rights

Right to Request Fair Processing Notices: The GDPR grants extended data access and control rights to current and past employees. Employers must provide current and prospective employees with detailed fair processing notices that specify what personal data they collect, as well as how they process each type of data, what they will do with it and how long they will maintain it. Fair processing notices should also specify the rights of employees to data portability/access and erasure, as outlined below.

Right of Portability: Employees and former employees have the right to request that a free copy of any of their PII in an entity’s files be provided to them or a third party. The document must be machine-readable (i.e., in a format that can be read by a computer).

Right of Erasure: Employers and former employers can be asked to remove or erase from their records any PII that is no longer necessary. For instance, an individual who leaves a company can request that his address be stricken from the files. Individuals also have the right to request the removal or erasure of personal data when they object to its processing and when they withdraw consent to process it.

Burden of Proof

Current employees typically make few data erasure requests, especially if they themselves have shared the information (for example, on a collaboration tool). Employees who are involved in litigation with a company or who are otherwise disgruntled — and likely no longer on the payroll — are more apt to do so, however.

Regardless of employees’ status, companies and governments are required to document and furnish proof that they have deleted data as requested. They must also ensure that any third party with which the information was shared (for example, a contractor) does the same.

Equal Treatment

Employers must be prepared to treat employee PII as they would customer PII. For all employers, this means performing an assessment to determine what employee PII they have, as well as where in their systems it is stored and to which areas of their operation it is related. The extent of such data and the scope of the assessment will vary, largely in accordance with the volume of communication among employees across one physical plant or multiple locations around the globe.

Some employee PII (e.g., structured data contained in employee and payroll records and emails) is typically easy to find during assessments. Unstructured data (e.g., PII shared via Wikis and web-based collaboration platforms) may be more difficult to uncover.

Regardless, knowing what PII exists within systems and its location is half the battle. Once this has been accomplished, it is possible for employers to determine the extent of their employee PII “problem” and address it appropriately rather than to underreact or overreact to it.

Social Media Snafus

Be it chatbots, platforms such as Facebook and Instagram or a combination thereof, almost all organizations use some form of social media to engage with existing and potential customers — and employees will share their PII there. Employee PII is also shared on internal social platforms such as Slack and, for the purpose of promoting a company or recruiting new employees, on LinkedIn and its ilk. Under the GDPR, organizations must, when requested, find and possibly delete this information — even if it resides in old systems they no longer use or in the archives of expired contact pages.

The breadth of such data is almost unfathomable; for example, it extends to personal information shared among colleagues in a casual conversation on an internal social platform. This makes awareness of precisely what PII an entity has in its possession and where that information is ever more critical.

Location, Location, Location

Locating employee PII — not deleting it — is the real burden of GDPR compliance. The volume of employee PII contributes to this burden. So, too, does the fact that the GDPR gives individuals the right to request that any entity at which they are or have been employed reveal exactly what information about them it maintains, where it maintains the information and how the information is used. The best approach here entails implementing a highly automated process (e.g., software tools) for locating employee PII and maintaining a map of its whereabouts. Such a step will allow employers to satisfy the burden of compliance at a reasonable cost.

Strategic management of employee PII also means deploying information management tools and/or engaging professionals to address GDPR compliance issues now — not just before the regulation goes into effect. Bucking the compliance challenge will otherwise be difficult at best.

Pervasive Policies

Employers need defined policies that govern how and where PII is shared and by whom, particularly on social media. These policies should be pervasive, applying organizationwide to reduce the risk of noncompliance with the GDPR. Large companies may find that they have no single set of information governance policies, and — again to minimize noncompliance risks — should put uniform policies in place.

The GDPR will continue to pose challenges for organizations to which it applies. However, common sense and mindfulness of the issues discussed here will go a long way toward facilitating compliance and minimizing risk.


Tags: GDPRPersonally Identifiable Information (PII)
Previous Post

Privacy and the EU GDPR

Next Post

Best Practices for Managing Electronic Evidence

Kevin Gibson

Kevin Gibson

Kevin Gibson is CEO & Chairman of Hanzo. Hanzo provides legally defensible collection, preservation and analysis of web and social media content for Global 2000 companies in the cloud, on premise or on demand.

Related Posts

snooping on private data

Survey: Leaders Claim to Be Ready for State Privacy Laws; Few Actually Are.

by Staff and Wire Reports
June 29, 2022

With state laws looming, where do companies actually stand today? A Womble Bond Dickinson survey examined current corporate preparedness along...

data privacy symbolized by padlock image comprised of people

The Key to GDPR Compliance for Fast-Growing Companies Is a “Privacy First” Culture

by Jose Costa
May 3, 2022

GDPR fines hit hard in 2021, especially hammering fast-growing and evolving businesses for accidental or careless EU GDPR violations. Tugboat...

deep blue illustration of person with face obscured

These Data Anonymization Techniques Don’t Cut It Anymore

by Tobias Hann
February 24, 2022

Data anonymization techniques that maintain a 1:1 relationship between personal info and the people to whom they relate are appropriate...

Vector of a cybersecurity worker monitoring servers.

Cybersecurity in 2022: More Acceleration, More Sophistication

by Mathieu Gorge
January 19, 2022

In 2022, nations and organizations around the world will continue working to protect customer data against hackers and accidental breaches....

Next Post
electronic evidence

Best Practices for Managing Electronic Evidence

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance Decision-Making DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring Ransomware RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT