The new EU GDPR will be a game changer for a number of multinational employers. Here are a few practice pointers for US-based enterprises with European HR data:
Uniformity is not guaranteed. While the GDPR seeks to harmonize privacy law in Europe, employers should be mindful of a key exception: member states can implement additional rules with regard to employment data.
Binding corporate rules will grow in importance (see previous article, here) and will be very useful for intra-company transfers of employee data. They are specifically referenced by the GDPR and will serve as a key mechanism for cross-border transfers. Some companies may self-certify under Privacy Shield, as well (however, I am skeptical that Privacy Shield will succeed where Safe Harbor did not given what I read as the fundamental critique of the US legal system within the decision that invalidated Safe Harbor). But for pure intra-company processing of employee data, BCRs are likely the most reasonable path.
Employee notice and employer compliance is central. Employees will have expanded rights to know what is being collected about them, to view data records, to correct inaccurate information, to understand how long their information will be stored, to know where the data will be transferred to and, to exercise a right to demand erasure and/or some form of the right to be forgotten over that data (especially when, as is often the case in the employment context, the data is no longer necessary in relation to the purposes for which it was collected or processed). Employers will have to comply with employee requests to review data at no charge – and to export the data for their own use.
Relying on the consent of employees as a ground for data transfers is very risky. As previously discussed here, European authorities take a dim view of consent given by employees because of the power dynamic in the employer-employee relationship and because the likelihood that refusal to give consent will be accompanied by adverse employment action. Employers will need to identify a specific ground for processing employee data (i.e., necessary for a contract, legally required, in furtherance of legitimate interests of an employer) – and bear in mind that such grounds will likely be narrowly construed by authorities.
Employers will have to comply with cyber security and breach notification guidelines and have flexible approaches to sensitive data. Employers will be obligated to implement appropriate and effective security and privacy measures and must be able to demonstrate the compliance of processing activities, including the effectiveness of the measures. Employers will be held to a much higher standard when processing extremely sensitive personal information and will need to adjust security procedures accordingly. Employers with such sensitive information will need to notify employees of breaches immediately.
Employers are restricted in their ability to use automated decision-making tools with regard to employees (or potential employees). Elsewhere, I have discussed bias in employment-related algorithmic decision-making, and I will write a separate post on this topic shortly.
Don’t rely on Brexit. For any relief from data protection laws. Yet.
Two excellent resources: