Europe Leads the Way in Employee Privacy Law So It’s Time to Embrace GDPR

By Lisa Berry-Tayman and Misty Wynn

The European Union’s General Data Protection Regulation (GDPR) will be enforced starting May 25, 2018.  Data privacy does not just apply to consumers.  Employees are also protected under the new regulations as data subjects and companies are reconsidering how they collect and use their employees’ information.  Companies in the U.S. are subject to these regulations if any of their employees are situated in the EU.  HR departments are reworking their policies and procedures to better protect their employees’ information.

The GDPR requires privacy for employees’ personal and sensitive information, and this demands some overhauling for HR departments.  Is this restructuring of your systems and policies worth it here in the U.S?  Absolutely.

The GDPR is starting a revolution for other areas of the world, and it’s only a matter of time before the United States targets data subject’s privacy rights and the realm of HR data.  Not to mention, you might be subject to the GDPR even though your company is based in the U.S. if your employees work in an office or live in the EU.  Bottom line, the GDPR is not something to pass on.

Sturdy companies such as Facebook, Google, and many other online organizations are facing lawsuits due to non-compliance with current privacy regulations and directives.  These online moguls are now revamping their privacy policies to conform to the newest regulations, and many companies in other business forums will soon follow.

There are many ways that greater data privacy controls are advancing in the workplace, but here are some specific examples.

The Use of Smartphones

Many employers are utilizing the “Bring Your Own Device” (BYOD) structure in the workplace.  Approximately 87 percent of employees in the workplace are using their own devices for both business and pleasure.

The real question is: what is the employee’s expectation of privacy when they are using their own device for work purposes?

The GDPR has made it a requirement that the employer inform the employee in plain, concise language about the information they intend on collecting and how they intend on using it.  Also, the GDPR requires that the employer be open about their monitoring practices and give the employee plenty of information about how they will be monitored and for what purpose.

U.S. HR departments need to understand where to draw the line with employee privacy and what is best practice when creating a BYOD policy.  Knowing what the GDPR allows and requires is not only necessary for HR departments who have employees in the EU, but it’s important for those HR departments who want to be cutting edge.

The Practice of Wellness Programs

The hottest trend with employers is the use of wellness programs to monitor employee health.  Employers are often able to provide employees discounted healthcare premiums to participate in wellness programs and apps.  Over two-thirds of employers in the U.S. now offer wellness programs that offer wearable trackers, online programs, phone apps, and more that track medical history, smoking habits, weight, prescriptions, and other personal information.

These programs may not offer sufficient privacy for employees using them and could lead to employment discrimination.  These devices and apps are often managed by third-party providers who are for-profit and may not be subject to strict privacy regulations for health data collected from individuals.

There have been companies who have been known to abuse their power in collecting this sensitive health information.  A few U.S. and EU companies are facing legal battles in the EU due to raising insurance premiums for those employees who are considered obese by EU standards.  Just recently, the European Courts ruled that obesity is a disability, which in turn gave rise to employers and insurance companies raising premiums for health insurance for those who have been deemed obese. Some companies have even used sensitive health information to determine who might be at a higher risk to get sick or pregnant, leading to higher premiums for those individuals, which has raised concerned about privacy and employment discrimination.

When it comes to privacy, wellness programs are high risk for areas of non-compliance. Despite the cost savings and health benefits they offer, if companies do not collect only the data necessary and limit the use, they can open themselves up to lawsuits and sanctions under regulations such as the GDPR.

Monitoring Employees

It is becoming easier to monitor employees as surveillance technology is becoming more affordable.  Companies have an incentive in monitoring employees as it is more efficient to discourage employees from surfing the internet or completing personal errands during work hours.  Whether an employer needs to disclose their monitoring activities depends on where they are situated, where they do business, and in what area of business they operate; there are different regulations for different states, localities, countries, areas of business and the like.

However, the GDPR requires that an employer not only disclose that they are monitoring their employees but also in what manner and for what purposes.  The GDPR requires that an employee is given a considerable amount of information about their employer’s monitoring practices and to what extent those practices are used.

If a company is allowed to legally monitor their employees, they may not be out of the legal woods.  Companies will need to ensure that they are collecting only the information that is necessary, the information that they are collecting is being used only for the purposes for which it was collected, the information is secured properly, and there is a plan in place in case there is a breach.

It would be nice to think most employees don’t spend all day on Facebook or shopping online.  However, the typical employee might need to complete a personal errand on occasion during work hours.  HR departments would benefit from updating their privacy policies and procedures to ensure that the fine line between monitoring employee activity and infringing on employee privacy is not crossed.

The GDPR has paved the way for a new take on privacy laws, and there will be more to come.  It is only a matter of time before other countries follows suit. U.S. HR departments should come to know the EU General Data Protection Regulation as it not only might affect them directly, but it will soon become the blueprint for regulations of the future.  At the very least, it is a good business model to ensure your employees’ privacy rights are protected.

To learn more about the GDPR and how it affects HR teams, watch this on-demand webinar with cyber security expert Lisa Berry-Tayman.

Lisa Berry-Tayman is the Sr. Manager, Privacy & Info Governance at CyberScout Solutions