A sea change in data protection law in the European Union (EU) is about to take place, and your organization doesn’t have to be based in the EU to feel its impact. The General Data Protection Regulation (GDPR) will take effect on May 25, 2018. The GDPR applies not just to EU Member States, but also to U.S. organization with EU-based employees. Any U.S. organization that has a branch, office, affiliate, franchise, or agent based in the EU should check if it must comply with the GDPR. Failure to comply with the GDPR can lead to fines of up to 20 million euros or 4% of annual global turnover (revenue), whichever is higher.
The GDPR regulates how “personal data” of EU citizens is collected, stored, processed, and destroyed. The GDPR definition of “personal data” has a broader meaning than how U.S. laws usually define the term. In addition to typical identifying information (e.g., name, address, driver’s license number, date of birth, phone number, or email address), “personal data” under the GDPR includes more expansive categories of data such as salary information, health records, and online identifiers (dynamic IP addresses, cookie identifiers, mobile device IDs, etc.). The GDPR also provides heightened levels of protection for special categories of employee data, including racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning an employee’s health, sex life, or sexual orientation, and biometric and genetic data.
The GDPR has wide-ranging effects on data collection, use, and retention. Some of the data practices regulated by the GDPR include:
- Data processing – Consent is one legitimate basis for processing personal data of employees, but the GDPR requires that consent be freely-given, specific, informed, and revocable. This means most blanket consent provisions typically found in employment contracts are not valid. If obtaining consent according to GDPR requirements isn’t practical, an employer might need to rely on other legal bases for processing employee data. Processing employee data is legal if it is necessary for the performance of the employment contract, required by law, or in the employer’s legitimate interests which outweigh the general privacy rights of employees.
- Employee monitoring – The GDPR limits what employers may do with data obtained through employee monitoring.
- Notification – The GDPR specifies what information employers must include in notices informing employees about the kind of personal data that will be collected from them.
- Right to be forgotten – Under certain circumstances, data subjects have the right to require data controllers to erase their personal data.
- Data portability – A person is entitled to transfer their personal data from one electronic processing system to another without being prevented from doing so by the data controller.
- Data breach – The GDPR governs the procedures and substantive requirements for giving notification of a personal data breach.
Now is the time to revisit your employment contracts and policies with privacy counsel to ensure compliance with the GDPR.