Protecting customer data isn’t enough Protecting customer data isn’t enough

With the publication of the EU’s General Data Protection Regulation (GDPR), organizations began assessing the regulation’s impact. When it comes to evaluating personal data, enterprises tend to focus on customer data. But what about employee data?

A vast amount of sensitive personal data about each employee is collected and processed by Human Resources (e.g. name, address, health information, social insurance numbers, performance data, benefit and compensation data). But more and more companies and enterprises are transferring this data to third parties across national borders as part of offshoring and outsourcing initiatives (shared service centers). In processing employee data, organizations risk non-compliance with data protection regulation and face the potential risk of losing personal and sensitive data due to data breaches.

In 2014, a former employee of a UK supermarket chain released the details of around 100,000 employees online. After a complex trial process, the ex-employee was sentenced to eight years in jail. Yet, the damage to that company’s employees was already done and irreversible. The personal details that were leaked included salaries, bank account details, national insurance numbers and dates of birth. Over 2,000 of the retailer’s current and former employees are now preparing a group claim against the retailer. Stating the failure of the company to implement appropriate measures to protect employee data, they are suing for risk of identity theft, bank account fraud and the potential negative impact on credit ratings^[1]. The case may be the biggest claim ever brought before London’s High Courts relating to a mass data breach. So far, the breach has reportedly cost the retailer more than £2m and a huge loss of reputation.

The example clearly shows that it’s not enough to focus solely on customer data, but that organizations also need to adequately protect employee data. The consequences of an employee-data breach for the employer may include high fines and loss of reputation, especially under the upcoming GDPR.

The GDPR’s impact and applicability to (Swiss) organizations was addressed in previous blog articles. Now, I’d like to focus on the topic of protecting employee data. It deserves special attention as most (if not all) enterprises process personal details of their staff. Considering the GDPR’s widened geographical reach, Swiss organizations may fall in scope as well. I’ll discuss this using the following two examples:

The GDPR applies to organizations (controller or processor) that process personal data in the context of activities of an establishment in the EU [Art. 3 Par.1 GDPR]. The location, where the actual processing takes place, is irrelevant.

In the example above, there is an establishment in Belgium. Employees are performing activities connected to it by distributing goods in the EU. Therefore, personal data (i.e. employee data) is processed in the context of the activities of an establishment of a controller or a processor situated in the EU. Consequently, the processing of the employee data falls under the scope of the GDPR. The fact that processing by the payroll provider takes place in Switzerland does not change that.

The GDPR is also applicable for controllers or processors without any establishments in the EU who process personal data of data subjects who are in the EU, if the controller or processor [Art. 3 Par. 2 GDPR]:

• offers goods or services to the data subject; or
• monitors the data subjects’ behaviour as far as their behaviour takes place within the EU.

In this second example, the recruiting agency is based in Switzerland and performs all activities from its office in Switzerland. Hence, the controller is not based in the EU. Nevertheless, the recruiting agency offers (part of) its services to people who work and live in the EU. In this case, a potential candidate in Germany. Even if there is no payment involved from the German candidate, the GDPR’s application remains the same. Therefore, the processing of potential employee data by this Swiss recruiting agency falls under the scope of the GDPR.

The two examples above show how the extra-territorial approach of the EU GDPR can affect companies in non-EU countries. Consequently, the changes of the EU GDPR should be on the radar of Swiss organizations.

While considering the changes of the GDPR, note that it does leave room for EU member states to deviate from the rules regulating the processing of personal data in the context of employment. Therefore, differences in regulation within the EU should be expected, even under the GDPR.

Under the existing data protection rules in the EU, there are already local differences. In Germany for example, the work council must be consulted if an employer wants to implement an employee monitoring system. In Spain, however, this is not required to the same degreee as control measures on employees are allowed to a larger extent. Given the different levels of employee privacy that currently exist among EU member states, it’s expected that local differences remain under the GDPR and that therefore local analyses are required.

Employee personal data deserves special attention in enterprises’ approach to privacy management. The data that Human Resources departments hold is often sensitive in nature so the adequate management of employee details should be taken seriously. Organizations should start today by assessing the relevance and impact of data protection regulations on their business and determine whether they are truly in control of the data. Employee data must be acknowledged in that assessment. The negative consequences of inadequately managing or failing to protect employee data could be huge!