The European Union (EU) General Data Protection Regulation (GDPR), which takes effect on May 25, 2018, imposes strict and broad requirements for processing HR data, and creates new rights for data subjects, including applicants, current employees, and departing employees. We interviewed Grant Petersen, a shareholder in Ogletree Deakins' Tampa office and co-founder of the firm's Data Privacy Practice Group, about the impact of the GDPR and about practical steps employers can take to comply. In the next installment, Grant will address the role of employee consent and offer key takeaways for employers that are subject to the GDPR.
Lisa Kaplan: What is the purpose of the GDPR, and to which companies does it apply?
Grant Petersen: The purpose of the GDPR is to implement a uniform and comprehensive data protection scheme across all EU countries to protect the personal information of clients, customers, and employees residing in the EU. However, the GDPR permits several exceptions to this uniform purpose, including permitting each EU country to enact additional or stricter requirements for HR data.
The GDPR applies to entities located within the EU that process personal information regarding EU residents (such as EU subsidiaries of U.S. companies). Additionally, the GDPR applies to entities outside of the EU that process personal information of EU residents in connection with the offering of goods or services to EU residents or in connection with the monitoring of the behavior of EU residents, including the monitoring of work performance. Thus, a U.S.-based parent company that monitors the work performance of EU employees is covered.
LK: With regard to compliance, what are the highest risk areas for employers?
GP: The highest risk area for employers is the monitoring of employee use of computers, mobile devices, and the internet. Unlike U.S. law, which permits employers to engage in extensive monitoring of employee use of company-owned technology to protect confidential information and the integrity of the system, the GDPR places strict limitations on an employer's right to engage in such monitoring. For example, employers must demonstrate and document that that their interest in monitoring employees outweighs the employees' privacy rights. Further, with limited exceptions, employers are prohibited from monitoring or reviewing the content of personal emails or communications sent or received by employees using company-owned equipment. Finally, employers must implement safeguards within their computer systems to ensure that they do not monitor an employee's personal communications or internet usage.
LK: What processes should employers have in place to prevent a data breach, and what does the GDPR require in the event of a breach?
GP: Similar to data breach prevention programs in the U.S., employers should implement processes that require strong passwords, limit access to information to only those employees who have a need to know, encrypt sensitive data, monitor unusual activity, establish investigation and reporting protocols for suspected breaches, and require role-based training for employees who handle personal information from the EU. However, unlike U.S. data breach notification laws that require employers to notify local authorities and affected individuals of the breach as soon as reasonably possible (typically 10 to 45 days depending on applicable state law), the GDPR requires employers to notify the appropriate EU data protection authority (DPA) of a breach within 72 hours. Thus, employers should establish their investigation and reporting protocols well in advance of a data breach so that they can rapidly investigate and report a breach to the appropriate DPA within 72 hours.
LK: Do you have recommendations for how employers can train their employees who deal with data so as to reduce the likelihood of noncompliance?
GP: Employers should implement role-based training. For example, while all employees who deal with personal information should receive general training regarding the requirements of the GDPR, individuals who will respond to employee data access requests should be trained specifically on how to properly and timely respond to such requests. Similarly, HR professionals who handle special categories of personal information such as racial and ethnic origin, employee health records, and trade union membership, should be trained on the special safeguards that must be taken in handling such data. Finally, IT personnel should be trained on the data security and breach notification requirements under the GDPR.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
