This article is Part 4 of our series on the GDPR for U.S.-based companies. Part 1 assisted U.S.-based companies in determining whether the GDPR applies to them; Part 2 provided an overview of the GDPR’s key concepts and requirements; and Part 3 provided information about key steps to compliance.  In this article, we will discuss how the GDPR will impact U.S.-based human resources (“HR”) professionals.

When it comes to compliance with privacy laws, companies often overlook the more internal data that they collect – data about their employees. Probably more than any other department in a company, HR offices and databases have a treasure trove of documents that contain personal information related to current and former employees and job applicants. Such documents include:

• Job applications and resumes;
• Background check information;
• Social security numbers and other government identification;
• Payroll and bank account information;
• Immigration forms;
• Personnel records;
• Employee benefit records;
• Medical records;
• Retirement and termination records.

For this reason, those who work in the HR field should be familiar with the GDPR, and with other state and federal privacy laws that protect the confidentiality of personal information. 

As we learned in Part 1 of this series, the GDPR has a very broad reach and will apply to any U.S. business that has employees located in the European Union (“EU”).  It does not matter whether the employees are EU citizens.  If a U.S.-based company has an employee who is a U.S. citizen and is working in the EU, then the GDPR will apply to the collection and processing of personal information related to that employee.  In addition, on April 19, 2018, the European Commission Working Party 29 (“WP 29”) issued a position paper that discussed the size of employers that are required to comply with the specific collection and processing requirements that are set out in Section 30 of the GDPR.  That section requires that controllers and processors maintain a record of the collection and processing activities under their responsibility, which must contain:

• The name and contact details of the controller or processor;
• The purposes of the processing;
• A description of the categories of data subjects and the categories of personal data;
• The categories of recipients to whom the personal data will be disclosed;
• Transfers of personal data to a third country or organization and the identification of the third country or organization;
• The timelines for deletion of the categories of data.

Article 30(5) excluded the obligation to maintain a record of these processing activities to an enterprise or an organization employing fewer than 250 persons unless:

• the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects,
• the processing is not occasional, or
• the processing includes special categories of data [that “reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, or data concerning health or information on a person’s sex life or sexual orientation], or personal data relating to criminal convictions and offenses * * *.”

The position paper clarified that organizations with fewer than 250 employees that process data regarding employees would not be excluded from the requirements of Article 30 because these processing activities are not “occasional.” 

So, what does all of this mean for an HR professional?

1. Employees Must Provide Consent

HR professionals must ensure that employees provide consent for the regular collection and processing of their personnel records at the time that employees apply for work.  One way to accomplish this is to include a specific notice with the job application that:

• The employee understands that the company will collect and process certain personal information that is required for application or employment with the company, and
• The employee consents to the collection and processing of personal data for this purpose.

You must provide the specific purpose for which you are collecting the data.  That purpose may be recruitment or employment.  Further, you must provide: 

• Information on the employee’s rights to ensure that the information is accurate,
• The amount of time that you intend to keep the data, and
• Information about the employee’s right to request deletion upon termination.

Employers will also have to provide information on how an employee can withdraw consent, or request deletion of personal information from the employer’s databases.  The requirement to delete information may also be impacted by other state or federal laws that require record retention.

2. Minimize the Data Collected

The GDPR includes a concept known as “data minimization,” which requires that the personal data that a company collects be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”  (Article 5(1)(c)).  Therefore, you should review all of the information that you collect and process to determine whether it is necessary.  You should refrain from requesting any information that you do not need.

3. Provide Employment and Personnel Records Immediately

HR professionals in most states are already bound by laws that provide certain timelines in which to provide information in a personnel file.  For example, in Oregon an employer must provide a reasonable opportunity for an employee to review personnel records within 45 days after a request.  In Washington, an employer must make personnel records available within a reasonable period of time at least once per year upon an employee’s request.  In addition to these statutes, employers with employees in the EU must provide employment records “without delay,” but usually within 30 days.

4. Provide Additional Safety Measures to Data

HR professionals must consider how they can keep personal information private.  Encrypting data and strengthening the password protection to files that contain personal information are two methods of providing extra protection.

5. Delete Data When Its Retention Is No Longer Required or Necessary

Companies should delete all data after the expiration of specific state and federal record retention laws.  Notify applicants or employees if you must maintain data and for how long.  Cite to the specific requirement.

6. Provide Privacy Training

Whether we are talking about the GDPR or other state and federal privacy laws, more than ever, HR should ensure that all employees receive privacy training to help prevent data breaches that may occur with phishing or other malware or email scams. Companies should also implement training about the use hardware such as employer-provided laptops and cell phones. With the growing trend of “plugging in” remotely among companies, trainings regarding Virtual Private Networks and other software used by a company’s employees is also key to securing confidential information.

7. Understand the Data Breach Policy

In addition, HR professionals must understand the company’s data breach policy and be able to take quick and decisive action in the event of a data breach.  HR may well be involved in drafting the appropriate data breach notices that must be provided in the event of a data breach.  The GDPR requires that businesses notify anyone affected by a data breach within 72 hours of becoming aware of the breach. This means that appropriate protocols and channels of communication must be in place and well-implemented both for breaches that occur within and outside of a company’s system. Some companies may want to consider hiring a Data Privacy Officer to be in charge of data privacy and/or security for the company.

The GDPR is now in effect.  HR professionals who have not already evaluated whether they have employees who may require compliance with the GDPR should conduct this analysis immediately and consult legal assistance if they have questions.