Privacy is hot. 81% of people analytics projects are jeopardized by ethics and privacy concerns. This number will only increase if companies do not comply to the new European privacy regulation, the General Data Protection Regulation (GDPR) which will be enforceable from 25 May 2018 onward.
This article will look at the formation and developments of the GDPR and give insight into the three most important privacy changes for employers. We will conclude with 9 practical tips on how HR analytics departments can prepare for the GDPR.
The purpose of the GDPR is to further harmonize a higher level of protection of personal data. This impacts the processing of personal data within businesses – especially HR data.
The GDPR constitutes major consequences for employment law as an employer processes the data of its employees (and potential employees) on a large scale. In addition, an employer may process employee data with regard to the work environment – for instance, data from cameras or employees’ internet behavior. In short, it is important for employers to know what to expect and how to deal with these regulations.
The formation of the GDPR
The European Commission has been working on amending the privacy regulation since January 2012, in order to make it fit for the digital era. The GDPR harmonizes the different privacy rules across the union. The result is a high level of EU-wide protection which will have direct effect.
This legislative process took a couple of years and it wasn’t until the end of 2015 that Member States reached an agreement on the main principles. In April 2016, the final version of the GDPR was published, which will be enforceable from 25 May 2018 (including in the UK)
Consequences of GDPR in the workplace
The GDPR contains a substantial number of ‘new’ standards and rules, the most important changes being:
- Additional rights for employees
- Data Protection Impact Assessment
- Data Protection Officer
We will briefly discuss these three topics below.
1. Additional Rights for Employees
Employees will acquire a number of additional rights to reinforce control over their own personal data. For example, the right of access has been extended. This gives the employee the right to be informed about:
- How long the employer aims to keep the data;
- whether the data will be used for automated decision-making,
- whether the employer intends to transfer the data abroad, and if so,
- which safeguards will be provided in that context.
This puts extra responsibility on anyone working with personnel data.
Furthermore, the employer must inform the employee about the right to rectification and the right to lodge a complaint with a supervisory authority.
An individual employee also has a right to erasure. This provides, under specific circumstances, the right to be forgotten. The practical application is that employers need to provide clarity about the purpose the data is used for (see tip #9 below).
2. Data Protection Impact Assessment
The Data Protection Impact Assessment (DPIA) is a way of analyzing potential privacy risks.
A DPIA should be carried out when the processing of personal data will most likely result in a high risk to the rights and freedom of the employee. A DPIA is therefore not always mandatory!
After assessing the risks, an organization must take measures to mitigate these risks.
A DPIA is mandatory in the following situations:
- Profiling: when a systematic and extensive assessment is made of personal aspects relating to natural persons, based on which decisions must be made that could have legal consequences for those natural persons.
- Data processing: when large-scale processing of special personal data is carried out;
- Monitoring efforts: when publicly accessible spaces are monitored systematically and on a large scale.
Besides the above-mentioned situations, there are no examples given in the GDPR of processing that is likely to entail high-privacy risks and thus require a DPIA.
For further, more detailed specifications of when a DPIA should be carried out, click here.
The guidelines include advice such as when a DPIA should be carried out. Criteria are given, based on which the increased privacy processing risks can be determined.
WP29 specifies the following criteria:
- assessing and evaluating data, including profiling;
- the processing is aimed at taking automated decisions with a legal or similar significant effect;
- systematic monitoring of individuals;
- the processing of special personal data;
- large-scale processing;
- combined or matched data sets, for example to process data which were collected for various purposes;
- data relating to vulnerable persons;
- innovative use of or applying technical or organizational solutions, such as the use of fingerprints or facial recognition for physical access to a building;
- data transfer across borders outside the EU (exchange of data with a country outside the EU);
- the data subject is obstructed from exercising a right or in using a service or a contract. For example, when a bank screens its customers against a credit reference database to assess whether the customer qualifies for a loan.
The more criteria that apply, the more likely it is that the processing entails an increased privacy risk for the data subject and that a DPIA is required. According to WP29 as a rule of thumb, it can be assumed that if two or more of these aforesaid criteria occur, there is an increased privacy risk and therefore a DPIA is required.
In some cases, it could be that only one criterion needs to be met if the processing is so far-reaching that it entails an increased privacy risk. If two or more criteria occur and a company decides not to carry out a DPIA, then, according to WP29, it must set out the precise reasons for this.
3. Data Protection Officer
Under the GDPR, it is mandatory for certain controllers and processors to designate a Data Protection Officer (DPO). The controller is the owner of the data and determines who can process it. The processor is the body which processes personal data on behalf of the controller. This includes third parties that do data analysis on your HR data.
The GDPR requires the designation of a DPO in three specific cases:
- Where the processing is carried out by a public authority or body.
- Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale.
- Where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offenses.
In practice, this means that almost all large organizations have a Data Protection Officer. Whenever you work on an HR analytics project, make sure to involve your DPO!
This is also important, because being involved is part of the DPO’s job. His duties are, in particular:
- Collecting information to identify processing activities;
- Analyze and check the compliance of processing activities; and
- Inform, advise and issue recommendations to the controller or the processor.
Even when the GDPR does not specifically require the appointment of a DPO, organizations may sometimes find it useful to designate a DPO on a voluntary basis.
To read more specific details about the DPO and his independence, click here
As far as the DPIA is concerned, the controller or the processor should seek the advice of the DPO, on the following issues, amongst others:
- whether or not to carry out a DPIA;
- what methodology to follow when carrying out a DPIA;
- whether to carry out the DPIA in-house or whether to outsource it;
- what safeguards (including technical and organizational measures) to apply to mitigate any risks to the rights and interests of the data subjects; and
- whether or not the DPIA has been correctly carried out and whether its conclusions (whether or not to go ahead with the processing and what safeguards to apply) are in conformity with data protection requirements.
The DPO must act in an independent manner. The WP29 provides guidance with regard to this criterion:
- no instructions by the controllers or the processors should be given regarding the exercise of the DPO’s tasks;
- no dismissal or penalty should be given for the performance of the DPO’s tasks; and
- There should be no conflict of interest with any of the other tasks and duties of the DPO.
The safeguards mentioned above enable the DPO to act in an independent manner. It is clear that the DPO cannot hold a position within the organization that leads him to determine the purposes and the means of the processing of personal data. Due to the specific organizational structure in each organization, this has to be considered case by case. It is also possible to hire an external DPO based on a service contract concluded with an individual or an organization.
9 Ways how the EU’s GDPR will Impact HR Analytics
So how does the GDPR apply to HR analytics? We listed 9 tips below:
The GDPR has a tangible impact on the analysis of HR data so make sure that everyone on the HR analytics team is up to date with the latest privacy rules.
2. Involve the Data Protection Officer
Your Data Protection Officer is a key stakeholder in any analytics project. He must estimate the impact of the GDPR on the organization’s current processes. When projects are not compliant with the GDPR or other data protection laws, the DPO will interfere. Make sure to involve him early on so you will avoid making costly mistakes.
3. Rights of data subjects
People whose personal data will be processed will acquire more and improved privacy rights under the GDPR. Be prepared for this so that you can respond correctly to requests and in a timely fashion. These rights include existing rights, such as the right of access and the right to rectification and erasure.
Also take new rights into consideration, such as the right to data portability. For this right, you must make sure that data subjects have easy access to their data and can pass these on to another organization if they so wish.
4. Processing lists
Under the GDPR, you are subject to accountability, which implies that you must be able to demonstrate that your organization acts in accordance with the GDPR. For example, when employees ask you to correct or erase their data, you must communicate this to the external organizations with which you shared their data. This may impact some – if not all – of your HR software providers
It is therefore important to keep a list of
- which data you process,
- for which purpose data is processed,
- where you got the data from, and
- with whom you shared data.
5.Data treatment security for third-party companies
When other organizations process your HR data, additional security requirements apply.
- It is compulsory to agree with the data processor on a data processing agreement, which is in compliance with the requirements set in the GDPR, with data processors.
- If a processor is established outside the European Economic Area, stricter requirements may apply.
- A processor must always be able to apply state-of-the-art security measures.
- The data processor should be certified in conformity with ISO27001/2 standards or other, similar standards. These should be defined in the data processing agreement.
6. Privacy by design
Familiarize your organization with the GDPR’s obligatory basic principles of “Privacy by design & privacy by default” and check how you can introduce these principles in your organization. “Privacy by design” means ensuring personal data protection from the onset of designing your products and services.
“Privacy by default” means you must take technical and organizational measures to ensure that, by default, you only process the personal data that’s necessary for the specific purpose you wish to accomplish.
8. Lead supervisory authority
Does your organization have several business locations in different EU Member States? Or does your data processing have an impact in several Member States? Then, under the GDPR you will only need to cooperate with one privacy supervisory authority. This is referred to as the lead supervisory authority. If this applies to your organization, determine which privacy supervisory authority you would be subject to.
If there’s no employment relationship you need the data subject’s free and unequivocal consent to process its data. In addition, data can only be processed when it’s in line with the reason for collecting the data. Make sure that the use of employee data processing is clearly defined in the employment contract.
The GDPR has strengthened the requirements for consent. Therefore, you should evaluate the way in which you ask for, obtain and register consent, and adjust your approach if necessary.
A new rule is that you must be able to prove that you were given valid consent by the data subjects for processing their personal data and that it must be just easy for them to withdraw their consent.
It is important to note that an employee’s consent, given his subordinate position with respect to the employer, is not automatically considered to be free and unequivocal. For some data processing, such as monitoring employees’ health through wearables, free consent is not even possible! Once again, consult your DPO when you implement such technologies.
The implementation of the GDPR is in full swing. The WP29 guidelines, such as have now been published, can still be supplemented by the Member States so that the regulations are as far as possible in line with the market. It is therefore essential to follow the developments closely and – when you’re unsure about the implementation – to receive professional advice.
For a full overview of the GDPR regulation, check here.