What Compliance Professionals Need to Know About Employee Data
The deadline for the General Data Protection Regulation (GDPR) is on the horizon, and a customer’s information is not the only thing that should be on a compliance practitioner’s radar. After all, the mishandling of an employee’s information can pose as much financial risk – therefore, it is important to understand the potential GDPR issues from extended rights and burden of proof to social media snafus and the need for defined policies.
Heads up: There’s more to the General Data Protection Regulation (GDPR) and GDPR compliance than meets the eye. That’s because the regulation — which takes effect on May 25, 2018 — doesn’t simply cover personally identifiable information (PII) belonging to the customers of corporate and government entities that are headquartered and/or do business in the European Union (EU). It also applies to employee PII which, as with customer PII, encompasses everything from telephone numbers to gender preferences.
Neglecting to address the employee PII aspect of the GDPR is not simply foolhardy; it puts organizations at risk for financial repercussions. EU authorities have a record of imposing penalties for noncompliance with mandates, as well as for doing so early on. Their approach to the GDPR will be no exception. But just as significant, in today’s economic climate, PII is increasingly viewed as a valuable commodity and as individuals’ personal property. Employees and former employees want control over this property and will undoubtedly capitalize on opportunities to gain it as afforded by the GDPR. Accordingly, it’s important to clarify key issues surrounding the GDPR and employee data.
Right to Request Fair Processing Notices: The GDPR grants extended data access and control rights to current and past employees. Employers must provide current and prospective employees with detailed fair processing notices that specify what personal data they collect, as well as how they process each type of data, what they will do with it and how long they will maintain it. Fair processing notices should also specify the rights of employees to data portability/access and erasure, as outlined below.
Right of Portability: Employees and former employees have the right to request that a free copy of any of their PII in an entity’s files be provided to them or a third party. The document must be machine-readable (i.e., in a format that can be read by a computer).
Right of Erasure: Employers and former employers can be asked to remove or erase from their records any PII that is no longer necessary. For instance, an individual who leaves a company can request that his address be stricken from the files. Individuals also have the right to request the removal or erasure of personal data when they object to its processing and when they withdraw consent to process it.
Burden of Proof
Current employees typically make few data erasure requests, especially if they themselves have shared the information (for example, on a collaboration tool). Employees who are involved in litigation with a company or who are otherwise disgruntled — and likely no longer on the payroll — are more apt to do so, however.
Regardless of employees’ status, companies and governments are required to document and furnish proof that they have deleted data as requested. They must also ensure that any third party with which the information was shared (for example, a contractor) does the same.
Employers must be prepared to treat employee PII as they would customer PII. For all employers, this means performing an assessment to determine what employee PII they have, as well as where in their systems it is stored and to which areas of their operation it is related. The extent of such data and the scope of the assessment will vary, largely in accordance with the volume of communication among employees across one physical plant or multiple locations around the globe.
Some employee PII (e.g., structured data contained in employee and payroll records and emails) is typically easy to find during assessments. Unstructured data (e.g., PII shared via Wikis and web-based collaboration platforms) may be more difficult to uncover.
Regardless, knowing what PII exists within systems and its location is half the battle. Once this has been accomplished, it is possible for employers to determine the extent of their employee PII “problem” and address it appropriately rather than to underreact or overreact to it.
Social Media Snafus
Be it chatbots, platforms such as Facebook and Instagram or a combination thereof, almost all organizations use some form of social media to engage with existing and potential customers — and employees will share their PII there. Employee PII is also shared on internal social platforms such as Slack and, for the purpose of promoting a company or recruiting new employees, on LinkedIn and its ilk. Under the GDPR, organizations must, when requested, find and possibly delete this information — even if it resides in old systems they no longer use or in the archives of expired contact pages.
The breadth of such data is almost unfathomable; for example, it extends to personal information shared among colleagues in a casual conversation on an internal social platform. This makes awareness of precisely what PII an entity has in its possession and where that information is ever more critical.
Location, Location, Location
Locating employee PII — not deleting it — is the real burden of GDPR compliance. The volume of employee PII contributes to this burden. So, too, does the fact that the GDPR gives individuals the right to request that any entity at which they are or have been employed reveal exactly what information about them it maintains, where it maintains the information and how the information is used. The best approach here entails implementing a highly automated process (e.g., software tools) for locating employee PII and maintaining a map of its whereabouts. Such a step will allow employers to satisfy the burden of compliance at a reasonable cost.
Strategic management of employee PII also means deploying information management tools and/or engaging professionals to address GDPR compliance issues now — not just before the regulation goes into effect. Bucking the compliance challenge will otherwise be difficult at best.
Employers need defined policies that govern how and where PII is shared and by whom, particularly on social media. These policies should be pervasive, applying organizationwide to reduce the risk of noncompliance with the GDPR. Large companies may find that they have no single set of information governance policies, and — again to minimize noncompliance risks — should put uniform policies in place.
The GDPR will continue to pose challenges for organizations to which it applies. However, common sense and mindfulness of the issues discussed here will go a long way toward facilitating compliance and minimizing risk.