The question of what GDPR means for employees is two-fold – on one hand, employees need to know how they can collect, process and store the data of clients and customers, but on the other hand, employees need to understand their own rights in relation to the data that their employers collect as part of the employment relationship.
While most of the focus of GDPR-related news has been on the changes to how customers can access and manage their personal data, it is important to bear in mind that the new legislation targets not just consumers, but everyone who has a data relationship with an organisation. As a result, while companies need to be aware of the rules affecting how they can collect and manage customers’ personal data, the same considerations apply to their employees’ data.
Client and customer data
In the case of client and customer data, employees need to be aware of the fact that the new data protection requirements under GDPR are not only stricter and more customer-orientated than the previous legislation, but also that there are serious consequences in the event of contraventions.
In order to ensure that staff deal with client and customer data correctly, companies need to provide the clear training to all employees who handle or come into contact with personal data. This includes setting up and enforcing rules relating to the safeguarding of data, especially in the case of portable devices such as laptops and mobile phones, which are often taken out of the office premises and can be left unattended, raising the risk of data breaches.
In addition, companies need to ensure that staff know the correct procedure to follow if a data breach does occur. The new requirements impose a strict deadline of notification in the case of serious data breaches (72 hours), and failure to comply with this requirement could have serious financial consequences – the regulations impose a maximum fine of 4% of global turnover, or 20 million Euros.
In addition, following the recent Facebook and Cambridge Analytica data harvesting scandal, consumers are more conscious of how companies use (or misuse) personal data, so any negative data-related publicity could have serious long-term impacts on business prospects and reputation.
Employee data
In addition to knowing how to deal with client and customer data, employees should be made aware of their new rights in relation to the data that their employer holds.
Companies hold and process employee data on a regular basis – this includes bank and salary information for payroll or pensions purposes, personal contact details, and, in some cases, medical or other sensitive information. In addition, the obligations of companies in relation to data handling extend not just to current employees, but also to prospective and former employees as well.
In order to ensure compliance with the new requirements, companies should update their staff about any changes to their internal procedures regarding personal data management, where staff can obtain more information about their rights, or make a complaint, and find out what the changes mean for staff in practice (e.g. what data the company is processing and why). They may also need to look into a data protection officer to ensure the new requirements are met.
Recruiters love this COMPLETE set of Accredited Recruitment & HR Training – View Training Brochure