What GDPR Means For Employee Data | Cornerstone
Get Started
Back to Resources

Article

What GDPR Means For Employee Data

General Data Protection Regulation, or GDPR, took effect across the entire European Union on May 25, 2018. The new legislature applies not only to European businesses, but also to US companies that work with EU-based clients, customers and employees. And, for businesses hiring candidates from within the EU, GDPR introduces a new set of guidelines to follow with regard to applicant and employee data.

Here's what you need to know to make sure you're following GDPR-compliant best practices.

GDPR and Employee Data

GDPR, a set of rules created by the European Commission, simplifies the regulations for customer data processing for businesses and gives explicit guidelines on what they can and cannot do with customer data. For instance, they must ask customers for consent to handle their data, have data protection officers and tell customers when there has been a hack or breach.

But GDPR isn't limited exclusively to businesses that handle sensitive data like insurance companies and medical groups. It also applies to the IP addresses of people visiting their websites as well as the human resources records for employees and even prospective employees.

Under the GDRP, employee data is protected from the moment he or she interacts with a business. For instance, if an interested candidate goes to a company's website and fills out a career application, the company has the obligation to protect that data and get his or her consent to use their data.

Employee rights under GDPR have increased, and now employers based out of or doing some business in the EU must follow these guidelines in addition to existing privacy regulations in order to keep employees' data secure at all times:

Ask for expanded consent.
In the past, employees were often required to sign companies' non-disclosure agreements and employer contracts. Under GDPR, employee rights stipulate that giving companies consent to process employee data is only binding if it is “freely given, informed, specific and unambiguous," and retrieved by a clear affirmative action, according to HR Technologist. Additionally, it must use clear and simple language, needs to be “distinguishable from other matters" and must allow employees to withdraw their consent to processing at any time.

Demonstrate a need to access employee data.
Companies need to give workers a valid reason for viewing their data. For example, employers need to look at employees' sensitive information to issue them tax forms. In this circumstance, employers can justify their access to sensitive data since it's required for tax purposes. Similarly, employers need to use employee data to record their sick days in order to ensure their payroll is correct.

Process data if it's in the employers' immediate interest.
Employers can process data when they have a valid reason, as long as it does not interfere with employees' privacy. For example, they may track employees entering and exiting the building for safety purposes.

Process personal data in special categories and criminal records only with consent or to fulfill legalities.
Employers will only be allowed to access employee data from special categories, which include religious and political beliefs, ethnic origin and trade union affiliations, under very specific conditions. An employer can only process such data if the employee gives consent, if it's necessary to be compliant with employment rights and obligations and if it's for legal cases.

All of these new limitations on data access need to be included within a company's privacy policy and flagged to workers so that they can review it immediately, and be able to come back to it at any time.

How to Ensure GDPR Employee Data Rules Are Upheld

If businesses have not done so already, they must revise their privacy policies and review employee data processing consent forms for updated language. They should also let employees know about the new GDPR guidelines and allow them to modify their consent preferences and/or review their records based on the new regulations.

GDPR was designed in the interest of employees, but it can help build trust between a company and its workers because it demonstrates that companies are taking care of their employees' most private information. When you roll out new GDPR employee rights, use it as an opportunity to strengthen that trust—take a look at your existing policies and ensure your teams' data is secure.

Do you want to guarantee the security of your employee data under GDPR? Join more than 30 million Cornerstone On Demand subscribers and safeguard your data today.

Join 36+ million people who realize their potential using Cornerstone

Let's Talk