This article is part of the series "[Podcast] Attorney Sarah Jodka on the GDPR and HR Data". Check out the rest:
In reviewing the transcript of my interview with Sara Jodka, I realize again how much great information she freely dispensed. Thanks Sara! The employee-employer relationship under the GDPR is a confusing area. It might be helpful to clarify a few points Sara made in our conversation about the legitimate interest exception to consent, and the threshold for Data Protection Impact Assessments (DPIAs).
The core problem is that to process personal data under the GDPR you need to have freely-given consent. If you can’t get that, you have a few other options, which are covered in the GDPR’s Article 6. For employees, consent can not be given freely, and so employers will most likely need to rely on “legitimate interest” exception referred to in that article.
There’s a little bit of paperwork required to prove that the employer’s interest overrides the employee’s rights. In addition, employers will have to notify the employees as to what data is being processed. Sara refers to the ICO, the UK’s data protection authority, and they have an informal guidance, which is worth reading, on the legitimate interest process.
Since the data collected by the employer is also from a vulnerable subject (the employee) and contains a special class of sensitive personal data (health, payroll, union membership, etc.), it meets the threshold set by GDPR regulators — see this guidance — for performing a DPIA. As we know, DPIAs require companies to conduct a formal risk analysis of their data and document it.
Sara reminds us that some US companies, particularly service-oriented firms, may be surprised to learn about the additional work they’ll need to undertake in order to comply with the GDPR. In short: employees, like consumers, are under the new EU law.
Inside Out Security: Sara Jodka is an attorney with Dickenson Wright in Columbus, Ohio. Her practice covers data privacy and cyber security issues. Sara has guided businesses through compliance matters involving HIPPA, Gramm-Leach-Bliley, FERPA, and COPPA, and most importantly for this podcast, certification under the US-EU Privacy Shield, which, of course, falls under the General Data Protection Regulation or GDPR.
A lot of abbreviations there! Welcome, Sara.
Sara Jodka: Thank you for having me.
IOS: I wanted to get into an article that you had posted on your law firm’s blog. It points out an interesting subcategory of GDPR personal data which doesn’t get a lot of attention, and that is employee HR records. You know, of course it’s going to include ethnic, payroll, 401(k), and other information.
So can you tell us, at a high level, how the GDPR treats employee data held by companies?
Employee Data Covered By the GDPR
SJ: Whenever we look at GDPR, there are 99 articles, and they’re very broad. There’s not a lot of detail on the GDPR regulations themselves. In fact, we only have one that actually carves employment data out, and that’s Article 88 — there’s one in and of itself.
Whenever we’re looking at it, none of the articles say that all of these people have these rights. All these individuals have rights! None of them say, “Well, these don’t apply in an employment situation.” So we don’t have any exclusions!
We’re led to “Yes, they do apply.” And so we’ve been waiting on, and we have been working with guidances that we’re receiving, you know, from the ICO, with respect to …. consent obligation, notice obligation, portability requirements, and any employee context. Because it is going to be a different type of relationship than the consumer relationship!
IOS: It’s kind of interesting that people, I think, or businesses, probably are not aware of this … except those who are in the HR business.
So I think there’s an interesting group of US companies that would find themselves under these GDPR rules that probably would not have initially thought they were in this category because they don’t collect consumer data. I’m thinking of law firms, investment banking, engineering, professional companies.
US Professional Service Companies Beware!
SJ: I think that’s a very good point! In fact, that’s where a lot of my work is actually coming from. A lot of the GDPR compliance is coming from EU firms that specialize with EU privacy. But a lot of U.S. companies didn’t realize that this is going to cover their employment aspects that they had with EU employees that are in the EU!
They thought, “Well, because we don’t actually have a physical location EU, it doesn’t actually cover us.” That’s not actually at all true.
The GDPR covers people that are working in the EU, people who reside in the EU, so to the extent that U.S. company has employees that are working in the EU it is going to cover that type of employee data. And there’s no exception in the GDPR around it. So it’s going to include those employees.
IOS: So I hadn’t even thought about that. So their records would be covered under the GDPR?
SJ: Yeah, the one thing about the definition of a data subject under the GDPR is it doesn’t identify that it has to be an EU resident or it has to be an EU citizen. It’s just someone in the EU.
When you’re there, you have these certain rights that are guaranteed. And that will cover employees that are working for U.S. companies but they’re working in the EU.
IOS: Right. And I’m thinking perhaps of a U.S. citizens who come there for some assignment, and maybe working out of the office, they would be covered under these rules.
SJ: And that’s definitely a possibility, and that’s one thing that we’ve been looking for. We’ve been looking for looking for guidance from the ICO to determine … the scope of what this is going to look not only in an employment situation, but we’re dealing with an immigration situation, somebody on a work visa, and also in the context of schools as we are having, you know, different students coming over to the United States or going abroad. And what protection then the GDPR applies to those kind of in-transition relationships, those employees or students.
With a lot of my clients, we are trying to err on the side of caution and so do things ahead of time, rather than beg forgiveness if the authorities come knocking at our door.
GDPR’s Legitimate Interest Exception is Tricky
IOS: I agree that’s probably a better policy, and that’s something we recommend in dealing with any of these compliance standards.
In that article, you mentioned that the processing of HR records has additional protections under the GDPR … An employee has to give explicit or consent freely and not as part of an employer-employee contract.
Can you explain this? And then, what does an employer have to do to process employee data especially HR data?
SJ: Well, when we’re looking at the reasons that we’re allowed to process data, we can do it by consent, and we can also do it if we have a lawful basis.
A number of the lawful bases are going to apply in the employer context. One of those is if there is going to be an agreement. You know, in order to comply with the terms of a contract, like a collective bargaining agreement or like an employment agreement. So hire/fire payroll data would be covered under that, also if there is … a vital interest of an employee.
There’s speculation that that exception might actually be, or that legitimate basis might be used to obtain vital information regarding, like, emergency contact information of employees.
And there’s also one of the other lawful basis is if the employer has a greater, you know, interest in the data that doesn’t outweigh the right of the data subject, the employee.
The issue though is most … when we talk about is consumer data, and we’re looking a lot at consent and what actually consent looks like in terms of the express consent, you know, having them, you know, check the box or whatever.
In an employee situation, the [UK’s] ICO has come out with guidance with respect to this. And they have expressly said in an employee-employer relationship, there is an inherent imbalance of bargaining power, meaning an employee can never really consent to giving up their information because they have no bargaining power. They either turn it over, or they’re not employed. The employer is left to rely only on the other lawful basis to process data, excluding consent, so the contractor allowance and some of the others.
But the issue I have with that is, I don’t think that that’s going to cover all the data that we actually collect on an employee, especially employees who are operating outside the scope of a collective bargaining agreement.
In a context of, say, an at-will employee where there is that … where that contract exception doesn’t actually apply. I think there will be a lot of collection of data that doesn’t actually fall under that. It may fall into the legitimate interest, if the employer has the forethought to actually do what’s required, which is to actually document the process of weighing the employer’s interest against the interest of the employee, and making sure that that is a documented process. [ Read the UK’s ICO guidelines on the process of working out legitimate interest.]
But also what comes with that is the notice requirement, and the notice requirement is something that can be waived. So employers, if they are doing that, are going to have to — and this is basically going to cover every single employer — they’re going to have to give their employees notice of the data that they are collecting on them, at a minimum.
IOS: At a minimum. I think to summarize what you’re saying is it’s just so tricky or difficult to get what they call freely given consent, that most employers will rely on legitimate interest.
Triggers for Data Protection Impact Assessments (DPIAs)
IOS: In the second part of this interview, we joined Sara Jodka as she explains what triggers a data protection impact assessment, or DPIA when processing employee data.
SJ: I think that’s required when we’re doing requirements for sensitive data, and we’re talking about sensitive HR data. A DPIA has be performed when two of the following exist, and there’s like nine things that have to be there in order for a DPIA to have to be done. But you bring up a great point because the information that an employer is going to have is going to necessarily trigger the DPIA. [See these Working Party 29 guidelines for the nine criteria that Sara refers to.]
The DPIA isn’t triggered by us doing the legitimate basis …
and having to document that process. It’s actually triggered because we process sensitive data. You know, their trade union organization, affiliation, their religious data, their ethnicity. We have sensitive information, which is one of the nine things that can trigger, and all you need is two to require a DPIA.
Another one that employers always get is they process data of a vulnerable data subject. A vulnerable data subject includes employees.
IOS: Okay. Right.
SJ: I can’t imagine a situation where an employer wouldn’t have to do a DPIA. The DPIA is different than the legitimate interest outweighing [employee rights] documentation that has to be done. They’re two different things.
IOS: So, they will have to do the DPIAs? And what would that involve?
SJ: Well, it’s one thing that’s required for high-risk data processing and that, as we just discussed, includes the data that employer has.
Essentially what a DPIA is, it’s a process that is designed to describe what processing the employer has, assess the necessity on proportionality to help manage the risk to the rights and the freedoms of the national persons resulting from the processing of personal data by assessing and determining the measures to address the data and the protections around it.
It’s a living document, so one thing to keep in mind about DPIA is they’re never done. They are going to be your corporation’s living document of the high-risk data you have and what’s happening with it to help you create tools for accountability and to comply with the GDPR requirements including, you know, notice to data subject, their rights, and then enforcing those rights.
It’s basically a tracking document … of the data, where the data’s going, where the data lives, and what happens with the data and then what happens when somebody asks for their data, wants to erase their data, etc.
GDPR Surprises for US Companies
IOS: Obviously, these are very tricky things and you definitely need an attorney to help you with it. So, can you comment on any other surprises U.S. companies might be facing with GDPR?
SJ: I think one of the most interesting points, whenever I was doing my research, to really drill down, from my knowledge level, is you’re allowed to process data so long as it’s compliant with a law. You know, there’s a legal necessity to do it.
And a lot of employers, U.S employers specifically, look at this and thought, “Great, that legal requirement takes the load off of me because I need, you know, payroll records to comply with the Fair Labor Standards Act and, you know, state wage laws. I need my immigration information to comply with the immigration control format.”
You know, they were like, “We have all these U.S. laws of why we have to retain .information and why we have to collect it.” Those laws don’t count, and I think that’s a big shock when I say, well, those laws don’t count.
We can’t rely on U.S. laws to process EU data!
We can only rely on EU laws and that’s one thing that’s brought up and kind of coincides with Article 88, which I think is an interesting thing.
If you look at Article 88 when they’re talking about employee data, what Article 88 does is it actually allows member states to provide for more specific rules to ensure that the protections and the freedoms of their data are protected.
These member states may be adding on more laws and more rights than the GDPR already complies! Another thing is, not only do we have to comply with an EU law, but we also are going to comply with member states, other specific laws that may be more narrow than the GDPR.
Employers can’t just look at the GDPR, they’re going to also have to look at if they know where a specific person is. Whether it’s Germany or Poland. They’re going to have to look and see what aspects of the GDPR are there and then what additional, more specific laws that member state may have also put into effect.
SJ: So, I think that there are two big legal issues hanging out there that U.S. multinational companies…
IOS: One thing that comes to my mind is that there are fines involved when not complying to this. And that includes, of course, doing these DPIAs.
SJ: The fines are significant. I think that’s the easiest way to put it is that the fines are, they’re astronomical, I mean, they’re not fines that we’re used to seeing so there’s two levels of fines depending on the violation. And they can be up to a company’s 4% of their annual global turnover. Or 20 million Euros. If you’d look at it in U.S. dollar terms, you’re looking at, like, $23 million at this point.
For some companies that could be, that’s a game changer, that’s a company shut down. Some companies can withstand that, but some can’t. And I think any time you’re facing a $23 million penalty, the cost of compliance is probably going to weigh out the potential penalty.
Especially because these aren’t necessarily one-time penalties and there’s nothing that’s going to stop the Data Protection Authority from coming back on you and reviewing again and assessing another penalty if you aren’t in compliance and you’ve already been fined once.
I think the issue is going to be how far the reach is going to be for U.S. companies. I think for U.S. companies that have, you know, brick and mortar operations in a specific member state, I think enforcement is going to be a lot easier for the DPA.
There’s going be a greater disadvantage to, actually, enforcement for, you know, U.S. companies that only operate in U.S. soil.
Now, if they have employees that are located in the EU, I think that enforcement is going to be a little bit easier, but if they don’t and they’re merely just, you know, attracting business via their website or whatever to EU, I think enforcement is gonna be a little bit more difficult, so it’s going to be interesting to see how enforcement actually plays out.
IOS: Yeah, I think you’re referring to the territorial scope aspects of the GDPR. Which, yeah, I agree that’s kind of interesting.
SJ: I guess my parting advice is this isn’t something that’s easy, it’s something that you do need to speak to an attorney. If you think that it may cover you at all, it’s at least worth a conversation. And I’ve had a lot of those conversations that have lasted, you know, a half an hour, and we’ve been very easily able to determine that GDPR is not going to cover the U.S. entity.
And we don’t have to worry about it. And some we’ve been able to identify that the GDPR is going to touch very slightly and we’re taking eight steps, you know, with the website and, you know, with, you know, on site hard copy documents to make sure that proper consent and notice is given in those documents.
So, sometimes it’s not going be the earth-shattering compliance overhaul of a corporation that you think the GDPR may entail, but it’s worth a call with a GDPR attorney to at least find out so that you can at least sleep better at night because this is a significant regulation, it’s a significant piece of law, and it is going to touch a lot of U.S. operations.
IOS: Right. Well, I want to thank you for talking about this somewhat under-looked area of the GDPR.
SJ: Thank you for having me.