Frequently Asked Questions (FAQ): GDPR and HR/Employee Data

As I wrote in another post, HR records are considered personal data and covered under the General Data Protection Regulation (GDPR). Since I keep on hearing from people who should know better that it’s not, I have good reason to take up this subject again and get into more details.

The key point is that HR/employee data — payroll, reviews, identification numbers, travel expenses, and more — fall under GDPR requirements for data security and privacy.

Employers take note: not only do you have to protect employee data as if were customer data, but also respond to employee-based data subject access requests (DSARs), for both review of records and even deletion of some of this data!

Since this is a somewhat complex topic with a twisty subplot, the best way to cover it is through a conversational-style FAQ post.

Under the GDPR, companies must gain consent from consumers to collect their data. Does an employer have to ask employees for their consent as well?

Great question! And this is where it gets tricky. Yes, the employer does have to gain employee consent for HR data. However, in most cases, the employee is not giving consent freely  to the employer because of the unequal relationship between the two. Yes, the GDPR sets a high bar for consent  —  see article 7 (“Conditions for consent”).

To address this problem, the GDPR gives employers other options for obtaining the data. The full list is in article 6 (“Lawfulness of processing”), but the two options most employers will focus on are: (6b) processing is necessary for performance of a contract, or (6f) processing is necessary for “legitimate interests” of a business.

Once upon a time, Sara Jodka, labor attorney for Dickinson Wright, reminded us in an interview that employees, outside of trade unions, generally work “at will” without a contract, and that leaves “legitimate interest” as the most reasonable basis for companies to collect employee data under the GDPR.

That make sense. Employers need employee data because it’s necessary for running a business and GDPR allows for this exemption for consent. Seems easy.

Not so fast. There’s more work.

Since the employer is taking the data without consent, under the legitimate interest exemption, the employer then has to show the following: the data serves a purpose,  any processing involved is necessary to achieve the purpose, and balance the use of the data against the privacy rights of the employee. The ICO, the data protection authority (DPA) for the UK, has a good rundown of the process employers will go through to show their legitimate interest.

But there’s still more.

Because of the sensitive nature of employee data, a Data Protection Impact Assessment (DPIA) is triggered. This can be a difficult process (unless you have the right software).

I thought DPIAs had to do with sensitive data, like video and biometric and DNA. I didn’t think employee records counted.

Well, employee records contain sensitive data as defined by the GDPR. But that’s still not enough! The regulators came up with a test: if processing involves at least two elements of a nine-element list of criteria (below), then a DPIA is required.

Employers can check off both sensitive data and vulnerable data subject, because of the power imbalance. This means that most companies that fall under the GDPR will have to conduct a DPIA for employee data!

They may need to conduct DPIAs for other reasons based on the consumer data they’re collecting, but at a minimum they’ll have to implement it for their employees. You can learn more about when a DPIA is required in this wonky guidance document from the GDPR regulators.

What does a DPIA entail?

It makes sense to just excerpt Article 35 (“Data protection impact assessment”), and then I’ll explain the meaning in plain English:

This is the fine print for GDPR’s risk assessment and management process. In short: look at the security and privacy risks in processing this data, and then manage and mitigate the risk.  And to help you along, the regulators have come up with this wondrous graphic:

If you’ve been paying attention, this should be very old hat. The graphic shows that assessments are a continual process of identifying and managing risk. And while companies should be doing something close to this for all important data, the GDPR says companies effectively have to  implement DPIAs for employee data.

Just the fact that you have employees means you have to conduct a DPIA! Once the HR data is collected, it also falls under GDPR data protection rules, right?

They most certainly do! The obvious requirement — and the one that is generally cited by DPA in their enforcement actions — is article 32 (“Security of Processing”). That’s the one that starts off with “shall implement appropriate technical and organisational measures to ensure a level of security.”

Just as companies under GDPR have to put in place security controls for consumer data, they’ll also have to do the same for HR data — including authentication, limiting access, auditing of user and system activities, monitoring for threats, incident response, and breach notification. In case there’s still any question, companies would have to report a breach of employee personal data under articles 33 and 34.

Does HR data, like consumer personal data, have retention limits?

As discussed in article 5 (“Principles relating to processing of personal data”), personal data can’t be kept longer “than is necessary for the purposes for which the personal data are processed.” That’s as close as GDPR gets to talking about a limit to storing or retaining personal data. Most companies will have their own data retention policies based on business needs.

Because HR records contain personal data, the “necessary for the purposes” language applies as well.  For HR data in particular, local laws can play a factor in setting limits, and there will likely be different retention periods for pay records, taxes, maternal/paternal leave, and salary actions.

Under the GDPR, consumers have privacy rights as well. Does that mean that an employee can request to see their HR data?

Indeed. An employee can make a data subject access request (DSAR). The employer is required to respond, as with any access request, “without undue delay” and within one month. Employers can refuse the request if it is “manifestly unfounded” or “excessive”.

As attorneys have noticed, there’s wiggle room in this language, and we’ll have to wait for more guidance from the regulators. For example, can a summary of HR data meet the requirement when there’s too much information to collect and analyzed? Maybe!

In any case, employees can request to see their annual reviews, salary actions, promotion history, email exchanges with HR, computer access logs, along with the basic personal data, such as phone numbers, contact names, and addresses.

The employer does have the right, though, to redact third-party information if it’s contained within the requested records. In short: an employee can’t see every email communication, say, where her name comes up.

And can employees exercise their “right to be forgotten”?

This may surprise employers, but the answer is a qualified yes.

Under article 17 (“Right to erasure/right to be forgotten”), there are several conditions under which erasure requests can be made. Employees will be able to delete specific data when they withdraw consent or when the processing is “no longer necessary in relation to the purposes for which they were collected.” As with DSARs in general, an erasure of HR data will have to be completed in one month.

Obviously, employers have some power to deny these requests because they can broadly claim data may have current businesses purposes. Attorneys have shown there are real-world examples where a GDPR erasure request would have to be carried out. Here are a few obvious scenarios:

• An employee enrolls in a benefits program that requires data to be collected, but subsequently withdraws.
• During the hiring process, the employer may have requested credit checks or other financial history that was only used for verification purposes.
• As part of a promotion process, data was collected about an employee – accomplishments, comments from other managers—but the promotion subsequently went to another employee
• Without consent, an employee was enrolled in an employer health-program in which data was collected and processed related to their sick days, lateness, and other PTO days.

In all these situations, the employer would be forced to honor the deletion requests. The key point is that the GDPR gives employees more control over their data than previously, and employers have to be in the position to comply with legitimate employee data requests.

Ah! I just envisioned a situation where the employer doesn’t honor a DSAR and an employee then files a complaint with a DPA. Is that possible?

Now you’re thinking. Yes, the employee can file complaints directly with the local regulators.

GDPR attorneys realize there’s a potential for a raft of employee-driven complaints. If you’ve read our recent post about GDPR fines, these complaints would fall under the higher 4% tier of fines. And for companies that have had past GDPR violations, these employee complaints may be looked at in a different light and lead to significant fines.

This brings up a very important point, and a good way to end this FAQ.  Employees can not only file complaints about their own privacy violations, but if they notice security lapses within the company, they can file a data protection complaint with the DPA!

I don’t want to broadly paint employees as “insider threats” with their power to report on IT security lapses. But under the GDPR, both employees and customers act more like unofficial IT auditors.

If an employee spots bad file security practices, say one hundred thousand customer records in a folder with “Everyone” permission, or a customer notices a web quirk that allows her to view another customer’s bank records, then both can report the possible violations with a DPA.

Bottom line: Companies that fall under the GDPR are facing a new reality in which their data security and privacy violations can be reported by by both knowledgeable insiders and sharp-eyed outsiders!