The May 25, 2018, effective date for the European Union (EU) General Data Protection Regulation (GDPR) is just two months away. For most companies, the highest risk area for GDPR compliance—for several reasons—is processing human resources (HR) data. The main sources of the risk are (1) the difficulty in achieving full compliance, (2) the probability of data subject complaints or regulatory enforcement actions, and (3) the potential monetary exposure for noncompliance.
1. Difficulty in Achieving Full Compliance for HR Data Processing
While the GDPR is intended to provide a uniform regulatory scheme for processing consumer and business to business (B2B) customer data across all EU jurisdictions, the same is not true for processing HR data. There are a number of intricacies with processing HR data, such as:
- Compliance with country-specific data protection requirements.
- Compliance with country-specific labor laws.
- Prohibition on employee consent to process HR data.
- Compliance with heightened protections for sensitive HR data.
- Compliance with special restrictions regarding employee monitoring.
- Designation of a data protection officer (DPO).
- Conducting data protection assessments (DPIA) for many HR data processing functions.
- Compliance (for certain U.S. companies) with complex, sometimes conflicting, HR data requirements.
2. Probability of Data Subject Complaints or Regulator Enforcement Actions
Employees (especially employees who are disgruntled for whatever reason) are likely to file complaints both internally and externally regarding improper processing of their data under the GDPR. Typical examples include the following:
- Employees are likely to discover noncompliant data processing because they are likely to initiate data subject access requests.
- Trade unions and works councils will initiate claims and/or help employees enforce their rights under the GDPR.
- Disgruntled employees and former employees may bring GDPR data privacy-related claims, especially where the improper data processing resulted in an adverse employment decision.
3. Increased Monetary Exposure for Improperly Processing HR Data
The GDPR imposes two levels of administrative fines—depending upon the nature of the violation—for GDPR violations.
- First level violations result in fines of 10 million euros or 2 percent of the company’s worldwide annual revenue, whichever is greater.
- Second level violations will result in fines of 20 million euros or 4 percent of worldwide annual revenue, whichever is greater.
Most violations involving the processing of HR data will likely be second level violations, including noncompliance with the Article 88 country-specific requirements for HR data; failure to use a proper legal basis for collecting and processing data; violations of data subjects’ rights, including data subject access rights; and improper transfers of data outside of the EU.
Key Takeaways for Employers
The May 25, 2018, GDPR effective date is fast approaching. Companies employing employees or recruiting applicants in the EU will want to quickly determine whether their current compliance efforts will satisfy the unique, country-specific requirements for processing HR data. Further details on GDPR compliance can be found in our recent article, “The Highest Risk Area for GDPR Compliance: Processing HR Data.”
Written by Grant D. Petersen, Simon J. McMenemy, Hendrik Muschal, Danielle Vanderzanden, and Stephen Riga of Ogletree Deakins