GDPR has been talked about for months, and we know businesses and employers really need to think about it. But what about employees?
In less than three months, all businesses and organisations across Europe that handle customer data will have to comply with the General Data Protection Regulation (GDPR).
For organisations, it will mean establishing clear procedures around consent and having a legal basis for gathering data, so employers need to sit up and pay attention.
But, for the average employee, what exactly does GDPR mean? How will the regulations affect you if you’re not the one running the business?
We spoke to Nicola Flannery, a senior manager in risk advisory in Deloitte, to find out more. Flannery said the way in which GDPR will affect employees is twofold. “Firstly, in their employment capacity with their organisation where they process personal data as part of their everyday roles and responsibilities. Secondly, where their organisation collects and processes personal data specific to the employee themselves,” she said.
Employee data
“Employees, as data subjects, should ensure that they are informed as to how their personal data is processed within their organisation. They should be aware of any internal GDPR programme of work and, as part of this, should start seeing internal communications notifying them of any changes that impact their personal data directly.”
Flannery said employees should make sure there is full transparency within their organisation around their personal data, and they should be clear about the following:
- Who the data controller of their data is
- Any changes to their contract, company handbook or the processing of their data
- The purposes of the processing of their personal data
- Any third parties who receive their data, eg payroll providers
- Any intention to transfer their data outside the EU
- Their rights under GDPR, eg right to object or lodge a complaint
- The existence of any automated decision-making, eg profiling
For employers looking at how GDPR will affect them, they are in danger of getting so wrapped up in the processing of external data that they may to forget about data pertaining to their own employees.
“Employers need to ensure that their GDPR compliance programme includes the fact that employees are data subjects too, with the exact same rights,” said Flannery. “It is surprising how often employee personal data is overlooked within these programmes of work.”
She said organisations need to understand the lawful basis of processing personal data, and ensure transparency and accountability by creating a data protection policy and easily accessible data protection notices.
“It is important to also note that the recently issued Irish Data Protection Bill stipulates that requesting an individual to make an access request for the purposes of recruitment, continued employment or a contract for the provision of services will be an offence,” she said.
“The bill calls out a number of instances where criminal sanctions will be applied, including in the case of offences committed by directors, managers, secretaries or other officers of an organisation which are proved to have been committed with the consent, connivance or negligence on the part of these employees. In addition, it is an offence for employees to obtain or disclose any personal data without the authority of their employer.”
Employees handling data
For employees who process personal data as part of their role, Flannery said they should be fully abreast of their organisation’s GDPR compliance programme and how this will affect how they collect, access, process and store personal data. They should also ensure the following:
- Their roles and responsibilities are clearly defined
- They are aware of who the responsible data protection person is
- They only ever process personal data in line with their defined responsibilities
- They have a clear overview and understanding of the organisation’s data protection notice, as well as easy access to all relevant internal policies
- They are provided with training specific to the processing of personal data
With all of this in mind, what practical steps can employees take to prepare for GDPR? Flannery said it’s essential to know your rights. “While a chunk of the personal data collected by employers is a contractual necessity, driven by employment law or quite simply to provide yearly performance reviews or get paid, employees should be clear on all these uses,” she said.
“In particular, employees should be diligent in reading acceptable usage policies so that they understand what level of monitoring – if any – is being carried out on a daily basis, and whether or not this is necessary and proportionate.”
Flannery also said employees should expect to see open and transparent communication around the use of CCTV in organisations as well as any particular types of automated decision-making, including profiling.
“Employees should not be afraid to ask their employers what the lawful basis is for processing their personal data if they feel they are being requested for categories of data that seem excessive, and, as already mentioned above, employees should never be subject to an enforced subject access request,” she said.
“At the end of the day, what is most important is that all employees know their rights as a data subject and be at the core of helping to drive that privacy culture across their organisation.”