European Union: May Day! Are You Ready For The GDPR? A Q&A With Grant Petersen (The Second In A Two-Part Series)

Lisa Kaplan: The GDPR imposes strict limits on employers regarding the collection, processing, and retention of employee personal information. What role, if any, does employee consent play?

Grant Petersen: The Article 29 Working Party, which is comprised of all of the data protection authorities (DPA) in the EU, has stated that employers cannot rely on an employee's consent to collect, process, or retain personal information because the unequal bargaining power between employers and employees prevents employees from providing voluntary consent. Therefore, employers must use and document another legal basis for collecting, processing, and retaining employee personal information. This might include demonstrating that the personal information is necessary to perform the employment contract, comply with obligations under EU law, or advance a legitimate interest of the employer that outweighs the privacy rights of the employees.

LK: What is the biggest unknown about the GDPR and its impact?

GP: The biggest unknown is the degree to which the DPAs in each EU country will aggressively enforce the GDPR. The GDPR permits DPAs to assess fines of up to 20 million euro or 4 percent of a company's worldwide revenue (whichever is greater) for serious violations of the GDPR. The UK DPA has announced that it will take a practical approach to enforcing the GDPR and will proactively assist companies in their compliance efforts. On the other hand, Germany, which has multiple DPAs, is gearing up to aggressively enforce the GDPR. It is widely expected that the German DPAs intend to make examples out of violators shortly after the May 25 effective date.

LK: With less than two months until the GDPR takes effect, what key takeaways do you have for employers with regard to HR data?

GP: Based on the difficulty of achieving full compliance, the probability of complaints being filed, and the potential monetary exposure for noncompliance, processing HR data arguably is the highest risk area for GDPR compliance for most companies. Below I have outlined a number of key steps that employers may want to take now.

First, employers should consider immediately conducting a GDPR readiness assessment to determine whether their current HR data policies and procedures comply with the GDPR requirements and, if they do not, determine the areas of greatest risk. Additionally, because each EU country is permitted to implement stricter or additional requirements for HR data, employers may want to determine whether their current policies and procedures comply with these country-specific requirements.

Second, employers should consider creating a data map to determine the types of HR data collected and processed, the types and geographic locations of the databases or systems in which such data is processed and stored, and the identity and geographic location of individuals and entities that have access to the data. This data map is essential to comply with the GDPR requirement that employers document their data processing activities.

Third, employers may want to determine and document the purposes and legal bases for collecting, processing, and retaining HR data. They should also consider conducting data privacy impact assessments to justify the processing of high risk data such as handling special categories of data, monitoring employee location and use of technology, and cross-border transfers of HR data.

Fourth, employers should consider revising and updating all of their policies and procedures for handling HR data to comply with the GDPR requirements.

Finally, employers should consider conducting rolebased training for all employees who will be handling EU personal information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.