Data privacy is no longer a "nice-to-have" feature, but an imperative acknowledged by individuals, companies, and regulators. With the rise in awareness among consumers, the need for organizations to effectively invest in data privacy and security has also seen a progressive change. Security and privacy are viewed alongside innovation to ensure that inbuilt solutions can creatively protect consumer data. “General Data Protection Regulation (GDPR)” guidelines came into effect in 2018 to ensure compliance with the requirements while processing personal data. GDPR is a privacy law that regulates how companies should handle personal information. The regulation primarily pinpoints all the companies that process data of EU citizens irrespective of their global presence. GDPR has become the model for many data protection laws such as the California Consumer Privacy Act (CCPA), Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada, Privacy Act – Australia, and other privacy laws followed in Chile, Japan, Kenya, and South Korea, etc.
GDPR has seven principles that serve as a framework to define the purpose of the regulation. The principles are:
- Accountability for compliance with the regulations
- Data minimization to store what is necessary
- Storage limitation to ensure the periodical removal of unnecessary data stored
- Data updation to ensure accuracy
- Data processing in compliance with lawfulness, fairness, and transparency
- Purpose limitation to ensure explicit, specific, and legitimate reasons for data collection
- Integration and confidentiality through appropriate security measures
To ensure data safety and privacy is handled legally and ethically, large penalties are imposed on the violators. Based on the severity of the infringement, organizations can be fined approximately 2% - 4% of their previous financial year’s annual revenue (global). While firms work hard to ensure that customer or client data is secured, they tend to overlook the personal data of employees collected at the time of employment or during employment. One of the key aspects to consider while processing data is the consent of the data subject (employees). Between employers and employees, there is an unequal power dynamic that makes it difficult to provide voluntary consent. Furthermore, employers often overlook communicating to the employees on the purpose of the data collected. Costly ramifications can be avoided by keeping a check on these details. The recent GDPR violation committed by a European multinational retail company can throw some light on what to keep in mind while collecting employee personal data.
Background
The multinational clothing company has over 1 lakh full-time employees spread across 50+ countries.
One of its subsidiary service centers was penalized with a fine for a GDPR violation for excessive employee monitoring. The fine was charged by the local regulatory body (Commissioner for Data Protection and Freedom of Information). The incident came to light when a technical configuration error exposed the data collected and made it accessible to all the employees for a few hours. This caught the attention of the regulatory body, and over 50GB of data record were submitted for evaluation.
Violation
The organization was found to be storing private details of its workforce on a network drive. This data, collected in 2014, contained discussions with the employees after returning from vacation and included experiences, symptoms of illness, and diagnosis, etc. Some recorded notes included family issues and religious beliefs. This was used to make a detailed employee profile to measure and make decisions regarding their employment. The information was easily accessible to over fifty managers throughout the firm.
Analysis
Article 88 of the GDPR states a specific law to protect employee personal data. Keeping in mind that the employee data can enhance internal HR processes and overall employee productivity, a separate article was included for data processing in the context of employment. Furthermore, this article also mentions the need to safeguard the fundamental rights and legitimate interests of the employees by taking adequate security measures. Employers need to be mindful of the excessive collection of employee data and the consequences of the same.
With respect to the case study being referenced, the penalty was imposed for the violation of two principles of GDPR:
- Article 5(1)(c): Data minimization
- Article 5(1)(f): Integrity and confidentiality
- Data minimization
While processing personal data with respect to data minimization, the data collected must be:
- Adequate: Sufficient to properly fulfill the stated purpose
- Relevant: Must have a rational link to the purpose
- Limited: Not hold more than what is needed
Employers must regularly assess the collected data and establish whether it is relevant to the purpose of collection. This process will ensure that excessive data is periodically removed once the purpose is served.
- Integrity and confidentiality
It deals with the CIA triad (confidentiality, integrity, and availability) and the measures taken to protect the data stored. The issue at hand was identified when a technical error caused the network drive holding the employee’s personal information to be accessible to all. As a result, data confidentiality (protection from unauthorized access) and integrity (protection from unauthorized change to ensure reliability) were compromised.
Company response
As a penalty for the incident, the Data Protection Authority imposed an administrative fine of EUR 35 million, the highest fine imposed under the GDPR employee privacy violation specifically.
The company accepted the corrective employee data protection measures and provided generous compensation to all employees affected. This is the first time an international organization acknowledged its responsibility for personal information security and privacy and made immediate changes to its service center.
Here are some of the measures actively taken up by the firm:
- Management level personnel changes at the service center
- Privacy and labor law training for their leaders
- Revised instructions for managers
- Creation of a new role with specific responsibilities to audit, follow up, educate, and continuously improve data privacy processes
- Enhancement of the data cleansing processes
- IT solutions that support storage of personal data, training, and leadership have been significantly improved
They also reassured their customers and employees that personal data protection is their top priority and they strictly adhere to the laws of the DPO and their own high security and privacy standards.
Learning
When it comes to personal data, fairness and transparency are of utmost importance. Fairness means that the data must not be used in ways that can be unduly detrimental or misleading to the individuals concerned. Transparency speaks of how the data subjects have the right to know what data is being collected and how it is going to be used. In a workplace, it is common for employers to feel that the personal information pertaining to their salaried employees can be used in any way within the context of the workplace. But this notion is wrong, and employee personal data must be collected and accounted for with the same level of priority given to the personal data of other stakeholders (customers/vendors). To meet employee privacy requirements, the HR personnel must be adequately trained to handle data. The steps taken by the regulatory authority by levying significant fines for such cases also show the seriousness of the issue and how such fines are not reserved for just security incidents.