Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


[Podcast] Attorney Sara Jodka on the GDPR and HR Data, Part II

Compliance & Regulation


Leave a review for our podcast & we'll send you a pack of infosec cards.

In the second part of my interview with Dickinson Wright’s Sara Jodka, we go deeper into some of the consequences of internal employee data. Under the GDPR, companies will likely have to take an additional step before they can process this data: employers will have to perform a Data Protection Impact Assessment (DPIA).

As Sara explained in the first podcast, internal employee data is covered by the GDPR — all of the new law’s requirements still apply. This means conducting a DPIA when dealing with certain classes of data, which as we’ll learn in the podcast, includes HR data. DPIAs involve analyzing the data that’s being processed, assessing the risks involved, and putting in place the security measures to protect the data.

Last April, the EU regulators released a guidance on the DPIA, covering more of the details of what triggers this extra work. Legal wonks can review and learn about the nine criterion related to launching a DPIA.  Because HR data processing touches on two of the triggers — vulnerable subjects (employees) and sensitive data (HR) — it crosses the threshold set by the regulators.

Listen to Sara explain it all, and if you’re still not satisfied, have your in-house counsel review the regulator’s legalese contained in the EU guidance.

Andy Green

Andy Green

Andy blogs about data privacy and security regulations. He also loves writing about malware threats and what it means for IT security.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.