This article is part of the series "[Podcast] Attorney Sarah Jodka on the GDPR and HR Data". Check out the rest:
Leave a review for our podcast & we'll send you a pack of infosec cards.
In the second part of my interview with Dickinson Wright’s Sara Jodka, we go deeper into some of the consequences of internal employee data. Under the GDPR, companies will likely have to take an additional step before they can process this data: employers will have to perform a Data Protection Impact Assessment (DPIA).
As Sara explained in the first podcast, internal employee data is covered by the GDPR — all of the new law’s requirements still apply. This means conducting a DPIA when dealing with certain classes of data, which as we’ll learn in the podcast, includes HR data. DPIAs involve analyzing the data that’s being processed, assessing the risks involved, and putting in place the security measures to protect the data.
Last April, the EU regulators released a guidance on the DPIA, covering more of the details of what triggers this extra work. Legal wonks can review and learn about the nine criterion related to launching a DPIA. Because HR data processing touches on two of the triggers — vulnerable subjects (employees) and sensitive data (HR) — it crosses the threshold set by the regulators.
Listen to Sara explain it all, and if you’re still not satisfied, have your in-house counsel review the regulator’s legalese contained in the EU guidance.