The May 25, 2018, effective date for the European Union (EU) General Data Protection Regulation (GDPR) is just two months away. For most companies, the highest risk area for GDPR compliance—for several reasons—is processing human resources (HR) data. The main sources of the risk are (1) the difficulty in achieving full compliance, (2) the probability of data subject complaints or regulatory enforcement actions, and (3) the potential monetary exposure for noncompliance.

1. Difficulty in Achieving Full Compliance for HR Data Processing

While the GDPR is intended to provide a uniform regulatory scheme for processing consumer and business to business (B2B) customer data across all EU jurisdictions, the same is not true for processing HR data. There are a number of intricacies with processing HR data, such as:

2. Probability of Data Subject Complaints or Regulator Enforcement Actions

Employees (especially employees who are disgruntled for whatever reason) are likely to file complaints both internally and externally regarding improper processing of their data under the GDPR. Typical examples include the following:

3. Increased Monetary Exposure for Improperly Processing HR Data

The GDPR imposes two levels of administrative fines—depending upon the nature of the violation—for GDPR violations.

Most violations involving the processing of HR data will likely be second level violations, including noncompliance with the Article 88 country-specific requirements for HR data; failure to use a proper legal basis for collecting and processing data; violations of data subjects’ rights, including data subject access rights; and improper transfers of data outside of the EU.

Key Takeaways for Employers

The May 25, 2018, GDPR effective date is fast approaching. Companies employing employees or recruiting applicants in the EU will want to quickly determine whether their current compliance efforts will satisfy the unique, country-specific requirements for processing HR data. Further details on GDPR compliance can be found in our recent article, “The Highest Risk Area for GDPR Compliance: Processing HR Data.”

Written by Grant D. Petersen, Simon J. McMenemy, Hendrik Muschal, Danielle Vanderzanden, and Stephen Riga of Ogletree Deakins