Data privacy issues have an impact on most HR activities, including data processing, recruitment, performance monitoring, and the handling of references. This is especially true in this modern age of digital and technological advances. As a human resources manager it is vital that you implement systems and processes in your company to safeguard sensitive employee data, ensuring they comply with state, local and international data protection laws.
In this post we will take a look at GDPR data regulations and how the Data Protection Act affects employers in the United States. We will also discuss best practices for protecting employee personal data and tips for ensuring privacy compliance at all levels of your company.
Let’s start with a curious event that happens each year in the world of GDPR and employee data.
Data Privacy Day is a global annual event that aims to raise awareness on the importance of privacy and safeguarding data. The campaign promotes privacy and data protection best practices and it targets both individuals and businesses alike.
The event was first celebrated in North America on January 28th, 2008, as an extension of the existing Data Protection Day in Europe . The date corresponds with the signing of the Council of Europe’s 1981 data protection treaty, known as “ Convention 108 ”, which follows a technologically-neutral, principle-based approach to protecting an individual’s right to privacy.
Each year on this date, governments and national data protection bodies launch campaigns, conferences and open-door events to inform the public of their rights to personal data protection and privacy. Aside from the general public, campaigns are also often targeted at those working in the education sector and those industries that rely heavily on data processing.
The event is an opportunity for businesses to re-evaluate how they have been collecting, sharing, and using data, and to improve internal processes to stop valuable data from being exploited, misused, or lost. In the US and Canada, the event is led by the National Cyber Crime Alliance (NCSA), a non-profit organisation dedicated to promoting a safer and more trusted internet. NCSA’s privacy awareness campaign is an integral component of the global online safety, security and privacy campaign “STOP. THINK. CONNECT .™”.
Data privacy protection is a branch of data security concerned with the proper handling of data, including consent, notice, and regulatory obligations. Every individual is entitled to access and control all personal information collected and stored by a company and they may revoke their consent at any time.
Although there are no federal USA data privacy laws and no centralized data protection agency in the US, companies that work with clients, customers and employees in the European Union must be aware of the principles that govern the General Data Protection Regulation (GDPR). The European GDPR, which came into effect in 2018, replaced the previous UK Data Privacy Act and introduced a new set of guidelines for processing, handling and storing personal data. It requires companies working with or within the European Union to implement data protection policies and procedures that ensure transparency and accountability. Record-keeping requirements vary depending on whether a company handling data is a controller (responsible for determining purpose and means of processing personal data) or a processor (those processing data on behalf of the controller).
In terms of employee data, the GDPR data privacy states that employees must be aware of:
GDPR and companies with less than 250 employees: although GDPR record-keeping requirements are not enforced for most companies with less than 250 employees (with the exception of companies handling data relating to criminal convictions), all other aspects of the data security and privacy act must be complied with.
Personal data is defined in the GDPR as being “any information relating to an identified or identifiable person who can be identified by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. This includes data that is processed electronically, kept in a filing system, included in an accessible record, or held by a public authority.
In terms of employee data, this can include:
Any company that collects, stores, gathers, organizes, retrieves, discloses, transfers, or otherwise makes available personal data for an employee located in the EU must ensure they are implementing the correct GDPR measures for employee data collection privacy protection.
When it comes to employees, it is the responsibility of the Human Resources department to protect and safeguard personal data. In the US, failure to comply with standards set by the Fair and Accurate Credit Transactions Act (FACT Act) and the Fair Credit Reporting Act (FCRA) can result in major penalties. And for employees based in the EU, HR managers must also ensure all data handling processes comply with the GDPR.
Employers must create clear policies and procedures that take into account these regulations and ensure they are accessible to all employees. These policies must govern all personal data processed and handled by the company and they must be reviewed and updated on a regular basis. Employers must provide thorough and continuous training to all staff to ensure employees are aware of data protection usa and security laws, their GDPR employee rights, and the importance of adhering to GDPR procedures at all times. Measures should also be put in place to guarantee the security of stored data, including encryption and designated servers.
There are many issues that can arise as a consequence of retaining employee data. The following should be taken into account at all times:
Sensitive personal data: there are extra measures that need to be considered when handling sensitive data such as medical records and employee benefits. These measures aim to safeguard health and safety and reduce discrimination. Explicit consent must be provided before a company can handle and/or process this data.
Recruitment: as a recruiter, it can be tempting to gather as much information as possible about a potential candidate. Do not collect more data than you need and don’t retain information for longer than necessary.
Social media: by using social media as a basis for employment decisions you run the risk of encountering issues with protecting employee data and discrimination. A clear social media policy should be included with a company’s general data protection procedures.
Monitoring: If you monitor employee emails or have a workplace CCTV system in place, you must be able to prove you have a legal basis for doing so. Staff must be informed and provide consent before their computers can be accessed remotely. If consent is not provided, online monitoring could be classed as hacking, a criminal offence subject to penalties.
A privacy policy forms the basis of a company’s internal data protection guidelines. It sets out the rights of data subjects and the obligations of an employer and establishes a series of guidelines, ensuring data complies with GDPR standards. Although policies should be tailored to the needs and requirements of each company, there are certain data that should be included for all industries.
A good privacy policy template should include the following:
As a member of the HR team, you can implement a series of best practices to continuously monitor and improve your methods for safeguarding employee data protection:
An often-overlooked factor when it comes to data protection is storage. According to the GDPR, personal data must be stored for the shortest time possible. That period should take into account the reasons why your company/organisation needs to process the data. In addition, any legal obligations to keep the data for a fixed period of time (for example national labor, tax or anti-fraud laws requiring you to keep personal data about your employees for a defined period).
Data needs to be stored on a secure server and, although encryption is not mandatory, it is highly recommended. By using a safe and secure document management system you can easily and securely manage all your company and employee documents and effectively protect your data. Data can be readily accessed and audited which helps the company achieve its overall goal of compliance.
An employer can legally hold the following data:
An employer can only legally hold the following data with an employee’s express consent:
A data breach is defined as the unauthorised access to, or loss, transfer or destruction of, personal data as a result of a security breach. Depending on location, there are various implications for encountering a data breach. In the UK, for example, data breaches must be reported to the Data Protection Commission (DPC) within 72 hours. Breaches involving personal data must also be notified to the data subject within the same timeframe.
Repercussions can include:
As we have seen, GDPR regulates personal data in Europe. In the US, it is also regulated by the following organisations:
Generally, personal data cannot be disclosed without the express consent of the employee in question. However, there are certain circumstances where employee data can be disclosed without consent:
So far we have clarified what constitutes personal data, what laws govern the handling and processing of employee data, and how companies can safeguard these regulations and ensure compliance. But what about when an employee leaves the company? What requirements does an employer have and what data needs to be disposed of or stored?
First and foremost, although there are no minimum or maximum time limits for keeping employee data , the law does state that data should not be kept for longer than necessary. The length of time you keep data depends on many factors, including data type and reasons for storage and handling. Any data not required must be securely destroyed. This applies to both digital and paper records.
There are also other legal requirements which need to be taken into account:
Aside from deciding what data should be stored and what data should be destroyed, the IT department must ensure all company electronic devices, including phones, laptops and tablets, are retrieved and all access to internal systems, processes and documents are immediately restricted.
We hope the tips and advice in this post help you design and implement an efficient data protection policy that safeguards the data of all your clients, customers and employees. Following a proactive, hand-on approach to data privacy will help your company ensure compliance, avoid potentially catastrophic data breaches, and promote a brand based on trust, transparency and accountability.
Written by Cat Symonds; Edited by Tanya Lesiuk
Minimum wage rates in the U.S. vary widely by state, with some states following the federal baseline, and others setting their own state-wide regulations. Connecticut [. ]
Cat Symonds September 11, 2024Every workplace has a code of conduct they enforce to prevent harassment from happening in the office. Although these guidelines are in place, companies unfortunately [. ]