By Mike Morini, CEO of WorkForce Software
The General Data Protection Regulation (GDPR) takes effect May 25, 2018, and companies around the globe are scrambling to prepare. While much attention has already been paid to understanding the GDPR’s impact on collecting customer data, retailers must also remember that the European Union’s newest data privacy law also applies to employee data. Failure to comply with the GDPR can cost your organisation up to 4 percent of your annual global revenue or €20 million, whichever is greater. As you can see, with stakes this high, there is no budget for error. Your entire organisation needs to understand the requirements, as well as the consequences of non-compliance.
Let’s walk through what all retailers need to know about the GDPR and employee data:
- Employers must have a valid reason for collecting employee data. From schedule preferences to trade union memberships, the law prohibits employers from collecting employee data without a valid, legal reason for doing so. The data must also be relevant to the employee’s job. For example, say you offer eLearning courses for store employees via mobile, and you track which courses have been completed. Under the GDPR, that’s acceptable if tracking completion of each course is necessary to doing the job assigned to the employee. Collecting more data than necessary, “in case we need it later,” is not considered a valid reason and would be in violation of the GDPR.
- When collecting biometric data, employers must also demonstrate how they are protecting the data. Say you have employees clock in and out using biometric readers or finger scanners. Under the GDPR, you must prove that you need the information and demonstrate how you’re protecting the data. If you’re using a data processor, such as a vendor who is processing the data being collected, they must also protect the employee’s data. In other words, they must show that it remains confidential, that there are controls in place, that the data cannot be accessed by unauthorised individuals, and that the data cannot be modified.
- The data must be available when/if an employee asks for it. Employee data isn’t owned by the company; it belongs to the individual employee. As such, employers must be able to meet uptime and restoration requirements to ensure that the data will be available, should the employee ask for it. In addition, employers must provide notification to employees regarding what information is being collected, how the organisation will use it, where it will be stored, and more. Transparency is key, so provide clear and ample notification to your employees about any data being collected.
- Employers must document and follow clear processes. Imagine this: you have a dedicated HR manager named Debbie. She receives a question via email from an employee about data collected over a specific time period the previous year. Knowing it is of utmost importance, Debbie picks up the phone and calls the employee with the answer. One might view this expediency as appropriate, right? Yet, under the GDPR, if the request is received via email, then the employer has to communicate the information via email, as well. So, in this case, Debbie would be inadvertently exposing the company to fines simply by providing the answer over the phone. This is why it is so important to document and follow clear processes when it comes to how you will collect, use, and share employee data.
- User location matters. It’s not just companies physically based in the European Union that have to comply with the GDPR. The law also applies to companies outside the EU who have users in the EU. And if the data is exported to another country, by you or by a third-party vendor, then you’ll have to comply with even more stringent rules under the GDPR. That’s why it’s absolutely essential that you interview each vendor carefully to ensure they are also in full compliance with the GDPR.
Particularly for large, international retailers, much work has already gone into preparing for the GDPR. Employers should keep in mind the upside, too. Communicating with your employees what your organisation is doing to comply with the GDPR will likely have a positive impact on morale and employee satisfaction. And because there’s a clear connection between happy employees and sales conversions, all the effort you’ve already put into gearing up for the GDPR can work to your advantage.
Is your organisation prepared for the GDPR? Learn more with GDPR Compliance Made Easy.