In 2018, the European Union’s General Data Protection Regulation (GDPR) took effect, signaling a watershed moment for data privacy protection. Since the GDPR’s introduction, data privacy laws and regulations around the globe have emerged, with most taking inspiration from the GDPR. Gone are the days of amassing volumes of personal data without concern for how such data is protected. The GDPR and recent comprehensive privacy laws such as Brazil’s LGPD, California’s CCPA, Canada’s PIPEDA, China’s PIPL, and Colorado’s CPA, are just a few of the global privacy laws primarily governing how the personal data or personally identifiable information of residents is to be processed and restrictions on where that data may be transferred. Recent privacy laws have also prescribed limitations on sharing personal data for advertising purposes and the selling of personal data.
In essence, the GDPR regulates the collection and processing (use) of EU residents’ personal data. The GDPR and similar laws require organizations to be transparent about the personal data of individuals they collect, this includes, inter alia, communicating the categories of personal data collect, the purpose for collection, data retention periods, the lawful basis for such processing, conducting assessments prior to using or sharing personal data, and the individual’s data protection rights. These rights are core to the GDPR and include:
- A right to be forgotten
- A right to access
- A right to correction
- A right to portability
- A right to object to data processing
- A right to stop automated decision making
The Importance of Employee Data Privacy Laws
While many view privacy laws primarily through a consumer protections lens, employee data privacy is often overlooked. However, employees are afforded the same protections and rights as consumers. And, in some cases may receive more scrutiny due to the disparity in bargaining power. For example, under the GDPR an organization must articulate one of the six lawful bases prior to processing personal data. However, consent—one of the lawful bases—is troublesome and can be an unreliable basis for processing an employee’s personal data, because an employee cannot freely give their consent.
Organizations do not have carte blanche with their employee’s personal data. Due to the volume and sensitive nature of employee data within the control of an organization, it is paramount to comply with privacy laws and security best practices to safeguard employee data. Organizations often process a subset of personal data more sensitive in nature or, special categories of data in GDPR parlance, for various processing purposes. For example, data concerning health may be required for enrollment in health or retirement benefits, and data on an employee’s political or philosophical beliefs may arise during background checks. Like a privacy notice for consumers, organizations may be required to provide employees with notice about their data collection practices and processing activities and articulate how employees may exercise their data subject rights with respect to the processing of their personal data. Additionally, for higher risk processing activities, organizations may be required to conduct privacy impact assessments before proceeding with the data processing.
Safeguarding Employee Data
A good percentage of data breaches originate from human error, especially within organizations. For example, an employee providing support may erroneously disclose that employee’s information to another employee or third party who is otherwise unauthorized to have access to that employee’s data. Thus, for organizations it is critical to enable industry standard tools and resources for safeguarding data. Implementing data loss prevention measures, data access controls, requiring multifactor authentication, using secure file transfer tools, and requiring training on data protection are some examples of ensuring employee data is protected.
Legal Implications for Noncompliance
There are serious financial and reputational consequences for organizations failing to adequately protect personal data within its control or failing to allow individuals to exercise their data subject rights. Noncompliance with privacy laws can result in hefty penalties in the form of fines. Under the GDPR, an organization may be fined up to 20 million euros or 4% of its global turnover, whichever is higher depending on the violation. For example, recently, the Irish Data Protection Commission imposed a 1.2 billion euro fine against Meta for a GDPR violation, making it the largest fine on record.
Best Practices for Employers
Organizations should assess the relevant privacy laws and regulations for compliance. However, even if not legally required, employers should consider implementing best practices such as data minimization, i.e., collecting only those data categories necessary for the service or functionality; requiring privacy and data security training; communicating its data collection practices; setting retention periods; conducting reviews of data for accuracy, and implementing technical controls and measures to prevent data loss. Companies should consider performing annual internal audits to review its policies and procedures to ensure compliance with the privacy laws.
Conclusion
Since the GDPR’s inception, privacy laws around the world have emerged indicating the importance of ensuring that personal data is protected, and individuals understand how and why their data is being used. Employers often collect more personal information as it may be necessary for certain functions. Running afoul of the requirements under the privacy laws and regulations can result in hefty penalties. Therefore, it is important for organizations to prioritize compliance with these laws and implement best practices for safeguarding employee data.
DISCLAIMER: This article is intended for informational purposes only and does not constitute legal advice. An organization’s compliance with relevant privacy laws may vary depending on its size, industry, and jurisdiction of operation.
