Editor’s note: The General Data Protection Regulation (GDPR) is a regulation enacted in May 2018 that guides the use of data and the rights of citizens across the European Union (EU). Any organization working with the personal data of individuals in the EU is liable to maintain compliance. Because the regulation applies to data being maintained on your employees, global payroll and human resources departments have assumed a leading role. Compliance is critical with the prospect of fines that can be revenue-based.
In May 2019, the first anniversary of the implementation of the GDPR, the Global Payroll Management Institute (GPMI) published Part I of this set of Q&As that addressed compliance and operational questions. The first article on GDPR by this author was published in July 2018.
The following Q&A with Donald C. Dowling, a shareholder with Littler, is provided to assist leaders in global payroll who may be called upon to explain the significance and consequence to other departments within their organization.
What best practices should be put in place to review personal data flows and data security mapping with your systems/providers?
This is vital. The old EU data law (the EU data directive) was vague on this, but now GDPR regulates policing data flows in substantial detail. Much of GDPR Chapter IV, articles 24-43, speaks to this.
Think of a data flow as links in a chain, data flowing from link A to B to C to D and so on.
Whenever a new party gets access to GDPR-regulated data (say, a payroll provider gets employee pay data, or a blood testing lab gets a hospital’s patient data), the controller has to police GDPR compliance―not only policing good data security, but policing other issues as well. For example, how quickly does the processor delete (purge) data that have become obsolete?
As to policing data security, GDPR article 32 speaks to this, urging but not requiring (for example) “the pseudonymisation and encryption of personal data.”
How will Brexit—or the uncertainty on its future—impact GDPR? What steps should companies take now?
This could change, but for now: Assume the U.K. will retain a U.K. privacy law that is a GDPR clone. As necessary, the U.K. will ask the EU for an “adequacy decision” under GDPR article 45, getting the EU to treat the U.K. for most purposes as a member of the GDPR “club,” as to data coming into the U.K. from the EU.
Companies with U.K. and EU operations might have a lot of steps to take as to Brexit generally, but for now, there might not be much to do as to GDPR specifically. Just assume a GDPR-like regime will apply, one way or another, in U.K. post-Brexit.
The “doomsday scenario” is that, for political reasons and as punishment, the EU treats U.K. data law as inadequate (the EU withholds a GDPR article 45 adequacy decision), making U.K.-to-EU data flows more like U.S.-to-EU data flows.
If the EU did this, it would likely be for political reasons and as punishment, because I think deep down Europeans on the continent trust U.K. data law as complying with GDPR, even post-Brexit (unless U.K., post-Brexit, waters down its data law, which seems unlikely). The EU might withhold an “adequacy decision” claiming to fear U.K. government authorities are too aggressive in surveillance of databases.
What language needs to be included in an employee consent to move data outside the EU?
Often, none at all.
This depends on which “avenue” the data is being exported down as the data leaves the EU. When exporting personal data under “binding corporate rules,” under “model contractual clauses” or under an “adequacy decision,” no data subject consent is necessary at all (the data subject merely needs to be told about the export: notice, not consent).
If data is not being exported on one of those “avenues,” then yes, the data subject must consent “after having been informed of the possible risks of [the] transfe[r],” according to GDPR article 49(1)(a). So the language to include in the consent should explain the data export and address the “possible risks.” As a practical matter, the consent usually acknowledges that the destination country’s data law protections are not deemed “adequate” by the EU.
As to sensitive data regulated under GDPR article 9 (health data, sex life data, and some other categories but not including pay or most other HR data), a consent is necessary even if that data is not getting exported. So when exporting sensitive data, simply add into the consent (a consent you need to get anyway) a mention of the export and the “risks” in the destination country.
How often should organizations conduct a risk assessment to ensure procedures are followed?
If by “risk assessment” we mean general GDPR compliance checks, then compliance should be ongoing. Depending on the company’s operations, I suppose periodic compliance audits make sense, but the timing of those audits depends on the company’s specific operations.
If by “risk assessment” we mean a “data protection impact assessment” under GDPR article 35, those assessments get triggered not based on elapsed time, but on changes to data processing operations. For example, a company is supposed to do one when introducing “new technologies” or when beginning “processing” of sensitive (GDPR article 9) data “on a large scale.”
How should an organization handle employee requests to be forgotten?
As mentioned, at one point data privacy advocates insisted that a broad “right to be forgotten” be included into GDPR. Sure enough, the phrase “right to be forgotten” did get into GDPR, and this “right” got its own article (GDPR article 17). But arguably this “right” got so watered down that it doesn’t add much to pre-GDPR rules (it doesn’t add much to the old regime under the pre-May 2018 EU data directive).
In essence, EU data law has long forced data controllers (e.g., employers) to delete obsolete personal data. But EU data law has generally let employers and other controllers hang onto (retain) most personal data where there is a defensible business reason to keep the data on file.
The new GDPR article 17 “right to be forgotten” ostensibly lets a data subject (e.g., an employee) come forward and insist personal data about himself be deleted. But the controller (e.g., employer) need not delete data still necessary to keep. That is, as long as the controller (employer) has a good justification to retain the data, the controller usually doesn’t have to delete, even if the person (employee) insists, “I want to be forgotten!”
For example, imagine an employee with a bad attendance record comes in and says to the head of HR, “I’m exercising my right to be forgotten, and I insist you delete all your records of my absences from work this year!” The HR head can say, “No, we need to track your attendance to monitor your compliance with our attendance policy. We will not delete our records of your recent absences―we will not ‘forget’ relevant attendance information about you. Indeed, you better start showing up, because we’re close to having good cause to fire you for excessive absences.”
Therefore, the “right to be forgotten” does not let people force businesses to delete important data. And besides, under EU data law, companies have long had to delete obsolete personal data, anyway (it has long been flatly illegal in Europe to retain obsolete personal data where there is no business reason to keep it around).
So, when facing a deletion request by someone claiming to exercise the “right to be forgotten,” assess the business need for the data asked to be deleted. Say “no” where data is still objectively business-necessary and can’t be anonymized. But be ready to defend the business rationale for retaining the data.
What are typical data protection deficiencies?
Any company that suffers a big data breach that leaks GDPR-regulated data faces an urgent situation, so data security is top of mind when we think of possible legal exposure under GDPR.
Unfortunately, before a breach, data security is a fairly dry technical issue for the IT team, while after a breach, the issue becomes damage control, including public relations. GDPR requires fast responses and notices. This is mostly all new―the earlier EU data directive did not expressly address data breaches at all.
Breaches aside, a common (probably universal) deficiency is failing to purge all obsolete personal data. As mentioned, GDPR flatly prohibits retaining even a scrap of personal data where there is no current business need to keep it on file. For example, think of most old attendance records, old timesheets, old work-scheduling logs, old expense-reimbursement requests, and old emails.
Probably every data controller and processor subject to GDPR is in breach of GDPR, because probably everyone has at least some bit of obsolete personal data somewhere that it couldn’t justify as still imperative to keep on file. But litigation on this point is extremely rare. Statistically speaking, the risk of loss for a “failure-to-purge” claim is probably very low.
Where can I get the record retention requirements for EU countries?
We have just changed the subject entirely. Record retention requirements are unrelated to GDPR. In fact, record retention requirements are the polar opposite of GDPR. Record retention requirements force parties to keep records around longer, while GDPR is designed to get parties to process personal data for shorter periods (as mentioned, GDPR requires purging and deleting lots of personal data).
Still, we can discuss the separate topic of record retention requirements in Europe. To discuss this, let’s put aside companies’ strategies around preserving evidence within statutes of limitations (that’s a strategy question, not a matter of “requirements”). And let’s put aside rules on retaining tax/social security/payroll documentation (tax and payroll providers should comply with those requirement).
Once we put those aside, there might not be much left to discuss. Many European countries tend not to impose much in the way of American-style HR document retention mandates. For example, the last time I checked as to Spain, the only HR document-retention requirements Spain imposed (beyond the tax/payroll context) were three extremely arcane EU-level rules irrelevant to most employers in Spain. Specifically, in Spain:
- If you have any workers “performing mobile road transport activities,” retain their work-time records for two years.
- If you have any workers exposed to “group 3 and/or group 4 biological agents,” keep their names and certain other records on workplace hazardous substances for 10 years.
- If you expose workers to carcinogens and asbestos, keep records about that for 40 years.
- If none of these apply, then Spain may not flatly require retaining any specific HR documents at all (again, payroll records retention aside).
All that said, to answer the question here: There are some commercial services that sell international records retention law surveys. To find them, search “international records retention law survey.”
Do you like our content? Join the GPMI community to get free education and articles straight to your inbox!
Donald C. Dowling Jr., a shareholder with Littler law firm, has extensive experience advising U.S.-based companies on outbound international labor and employment laws. He provides counsel on a wide variety of global employment law matters, including codes of conduct and HR policies that guide operations in multiple jurisdictions, international compensation and benefits issues, whistleblower hotlines, cross-border internal investigations, and HR compliance audits. Dowling regularly advises clients on employment matters that arise with international restructurings, reductions in force, mergers, acquisitions, and outsourcing. Additionally, he helps clients properly engage independent contractors overseas, manage expatriate programs, and develop employment agreements and employee handbooks.