This article is part of the series "[Podcast] Attorney Sarah Jodka on the GDPR and HR Data". Check out the rest:
Leave a review for our podcast & we'll send you a pack of infosec cards.
In this first part of my interview with Dickinson Wright attorney Sara Jodka, we start a discussion of how the EU General Data Protection Regulation (GDPR) treats employee data. Surprisingly, this turns out to be a tricky area of the new law. I can sum up my talk with her, which is based heavily on Jodka’s very readable legal article on this overlooked topic, as follows: darnit, employees are people too!
It may come as a surprise to some that the GDPR protects all “natural persons” in the EU. Employees, even non-citizen EU employees, are all completely natural, organic people under the GDPR. Their name, address, payroll, personal contacts, and in particular, sensitive ethnic or health data fall under the GDPR. So IT security groups will need to have all the standard GDPR security policies and procedures in place for employee data files — for example, minimize access to authorized users, set retention limits, and detect breaches.
The tricky part comes in getting “freely given” consent from employees. Listen to the podcast to learn how most EU employers will need to claim “legitimate interest” as away to process employee data without explicit consent. This will lead to some additional administrative overhead for employers, who will have to prove their interests override the employees’ privacy and notify employees of what’s being done to the data.
As we’ll learn in the second part of the podcast, because employee data often contains sensitive data as well, employers will also have to conduct a Data Protection Impact Assessment (DPIA), which will require even more work.
Bottom line: US service-based companies in the EU — financial, legal, professional services — who thought they escaped from the GDPR’s reach because they didn’t collect consumer data are very much mistaken.
Sara explains it all.