The 2018 implementation of the General Data Protection Regulation (GDPR) shook things up in the European Union, with its impact affecting countries all over the world. As people battled for transparency and information consent, this law was intended to resolve many of those concerns. GDPR regulations apply to any business or organization that employs or serves EU citizens, which includes U.S.-owned businesses with European operations. Violations of GDPR can lead to severe financial penalties, with some cases being as high as 20 million euros or 4% of a company’s previous year’s turnover.
If your business is planning to expand into the EU, it’s important to know the top 4 challenges of managing employee data in Europe.
1. Monitoring Employees
Many EU businesses implement surveillance technology to ensure their employees are being efficient during business hours. This discourages employees from surfing the web or working on personal matters while at work. However, disclosure of these monitoring activities depends on where a company is located and what area of business they operate in. This can be a major challenge for employers as these requirements vary for different states, localities, and countries in the EU.
To stay compliant, employers will need to disclose their monitoring procedures, as well as the specific reasons these procedures are being implemented. When it comes to managing employee data in Europe, this is just one area where businesses need to provide considerable information regarding their monitoring practices.
Even if a company is allowed to legally monitor their employees’ actions in the workplace, there are still a host of GDPR-related regulatory hurdles they’ll need to comply with, including:
- Ensure only necessary information is collected
- Guarantee that this information is only used for the purposes for which it was collected
- Be sure that all information is properly secured and stored
- Create a detailed plan in the event of a security breach
For these reasons, HR departments have a difficult job. They’ll need to balance the fine line between monitoring employee activity, while ensuring employee privacy is upheld.
2. Consent vs. Legitimate Interest
Consent is a major attribute of GDPR legislation, as one of its founding principles requires employers to obtain consent from employees when processing personal information. Employees have the right to understand how their personal information will be processed, used and transferred between other entities.
When it comes to customers or vendors, GDPR provides very clear guidance for employers on how to go about collecting information. This creates a difficult situation for employers, as obtaining voluntary consent for every piece of employee data can cause unequal negotiation power between employers and employees. The reasoning for this is
GDPR does, however, provide an alternative for consent called “legitimate basis,” which applies to three areas of employee data collection:
- To perform an employment contract
- To comply with legal obligations
- To further a legitimate interest of the employer
These guidelines apply to employment contracts or collective bargaining agreements, which outline the terms for employee salary, benefits, leave, discipline, and any other terms expressed in the agreement between an employer and an employee.
Another allowance for employee data collection is called the “legal obligation”, which essentially means the data processing is required by law. However, this allowance is narrow, as the business will need to base this on EU law, not US law.
The final allowance is known as “legitimate interest.” According to the UK’s Information Commissioner’s Office, the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
This means that whenever a company uses personal data in a manner that an employee can reasonably expect. The term “interest” can refer to a wide range of things, including the organization or third party’s commercial interests or wider societal benefits. Typically, this condition applies when:
- The processing isn’t legally required, but there is an obvious benefit to it
- The processing of data doesn’t infringe on the employees’ privacy
- The employee can expect their data to be used in the way the employer suggests
To make use of this allowance, employers will need to perform a privacy impact assessment to show their legitimate interest against the employees’ privacy rights. This can be a time-consuming process, as employers must document everything to demonstrate that their interests don’t outweigh the individual’s legal rights. Even if the business has good reason to process employee data, the employer must give notice to the employee, outlining what information is being collected and what they plan to do with it.
3. Managing Sensitive HR Data
Under GDPR, there is a distinction between “personal data” and “sensitive data.” This category is considered sensitive because it has personal information relating to:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union memberships
- Genetic data
- Biometric data
- Health data
- Data related to a person’s sex life or sexual orientation
The processing of this sensitive information is strictly prohibited, unless the employer qualifies under specific exemptions, including:
- The express consent of the employee
- As necessary for the purposes of implementing employment obligations, such as compliance with collective bargaining agreements
- To protect the vital interest of the data subject
It’s important for employers to be aware of how to process this information if they feel the need to do so. Non-compliance with the processing of employee data can lead to legal penalties and fines, as well as civil lawsuits.
4. Country-Specific Requirements
GDPR was meant to encompass a broad set of regulations to protect employees and consumers. However, each country within the EU can choose to enact additional requirements for processing HR data through national laws and collective agreements. In many cases, the laws and regulations of individual countries are much stricter than the broad GDPR data protection. Here are a few examples to consider:
France: The French have implemented laws to prohibit employee data or personal information from being transferred outside the country. This makes it difficult for employers when an employee has moved from France to another European country.
Germany: The German government passed a law with additional, stricter HR data processing requirements. This can become an additional, time-consuming burden to HR teams attempting to process and organize employee information.
In addition to country-specific laws, union collective bargaining agreements and works council agreements may have additional requirements. This means employers will need to understand the country’s laws and the CBAs for their employees in order to maintain compliance for processing employee data. Make sure your business knows these laws, including when employee information can be processed, and the length of time HR data is allowed to be retained.
In order to ensure a compliant workforce in the EU, it’s critical for businesses to partner with GDPR and expansion experts. With so many varying regulations and requirements, it can quickly become cumbersome and difficult to manage international employees.
Global Upside, a Safeguard Global company, specializes in keeping businesses compliant, while enabling them to find hidden opportunities in the global marketplace. Regardless of your growth goals, every business will need to find a partner that is flexible, with enough expertise to provide a customized approach. As one of the leading companies providing incorporation services in 170+ countries, Global Upside can help your company expand to any market.