GDPR Series: Part 2 – Steps to Compliance

In Part 2 of the GDPR Series, Michael explores what organizations want to do to be compliant with the EU GDPR regulation

The whole point of the GDPR is that personal data belongs to the person, and not those collecting and processing it. This means respecting the privacy of the individual, and not sharing any data without their consent. And, if that data does happen to leak out, both the data controller and the data processor have responsibilities to notify the data subjects within certain timeframes.

Generally, data collected in the EU must stay in the EU, unless the country of transfer ensures an adequate level of data protection. These countries are currently limited to Argentina, Canada, Switzerland, Israel, Isle of Man, New Zealand and Uruguay, and to the US when such transfer is to an organization certified under the EU-US Privacy Shield program. For multi-nationals, data may be transferred within a corporate group by way of Binding Corporate Rules, as approved by the national Data Protection Authorities (DPA’s).

Redefining Legitimate Interests and Consent

Most businesses rely on boilerplate privacy policies and employee agreements to obtain consent to collect and process information. However, **under the GDPR, merely agreeing to be an employee will not be deemed voluntary or freely-given consent, because of the unequal bargaining positions between employers and employees**.

Employers will now have to be much more transparent about what data is being collected, why they are collecting it, and how they intend to use it including who shall have access to it.

This should not consist of privacy policies that are excessively lengthy or difficult to understand, as **the GDPR requirement is for controllers to provide concise, transparent, intelligible language that is easily accessible to employees**.

Here’s an example of a more transparent privacy notice aimed at employees:

We are monitoring use of our broadcast email (intranet site, other internal vehicles) communications for the purpose of assessing content delivery, content and messaging format and length, device preferences, and for confirmation during critical corporate communication situations. 

We may also use measurement analytics for our own legitimate business purposes, including campaign evaluation, messaging planning and internal training. We will retain individual email measurement data for no more than 90 days, unless such is being used to investigate an alleged crime or an incident, in which case it may be retained for up to two years following the conclusion of any investigation. 

You have the following rights: request access to email data relating to you, the rectification or erasure of your email interaction data of you (subject to other conditions), and the right to object to our use of email monitoring. Please contact our Privacy Officer, Mr. Smith, [email protected] for any further information.

The GDPR gives data subjects certain rights, and controllers have the obligation to respond to a data subject’s rightful inquiries within one month. Such rights include providing data subjects with access to any personal data processed, information regarding the source of the data, where the data is being processed, the purpose of such processing, and the period the data will be stored. Data subjects also have the right to request corrections and to request removal of data when it is no longer required for its original purpose. In addition, data subjects have the right to revoke consent, and consent “must be as easy to withdraw as it was to grant,” according to Article 7(3).

Example 1: Performance Review

Let’s make an example of the standard performance review. Any such file, including handwritten notes or digitally recorded comments, is considered personal information. The UK’s Information Commissioner’s office offers this by example:

“A manager’s assessment or opinion of an employee’s performance during their initial probationary period will, if held as data, be personal data about that individual. Similarly, if a manager notes that an employee must do remedial training, that note will, if held as data, be personal data.”

Before any review, the employee must consent to having such opinions recorded, and must be made aware of who will have access to that data and what it will be used for. An organization must have a process in place whereby reviews are available to the employee and can delete information once the employee leaves the organization.

Example 2:  Web and Email Analytics

Corporations today routinely make use of web analytics and email analytics to understand their employees’ use of communications and often leverage such data to improve the content and user experience. In many cases, these tools collect IP addresses and email addresses, allowing for individual actions to be identified.  Therefore, employees must consent to the collection of such data, and employers must make clear the intent of such data processing, and not use the data for any other purpose. Consent for such automated data collection is difficult to obtain at the point of collection and is, therefore, best done by policy.

Companies with citizens of the EU as employees should be reviewing and rewriting their consent policies now in preparation of the GDPR going into effect May 25, 2018.  Ideally, this should not be left strictly to the legal team, as human resources and communications teams will have insights into particulars of the various employee programs and procedures which will be impacted by the new law.  There is a lot at stake if your company is not in compliance.

Part 3 of this series will focus on ways to render employee data anonymous while still measuring the effectiveness of employee communications.