Protecting customer data isn’t enough. What about employee data?
With the publication of the EU’s General Data Protection Regulation (GDPR), organizations began assessing the regulation’s impact. When it comes to evaluating personal data, enterprises tend to focus on customer data. But what about employee data?
GDPR also applies to employee data!
A vast amount of sensitive personal data about each employee is collected and processed by Human Resources (e.g. name, address, health information, social insurance numbers, performance data, benefit and compensation data). But more and more companies and enterprises are transferring this data to third parties across national borders as part of offshoring and outsourcing initiatives (shared service centers). In processing employee data, organizations risk non-compliance with data protection regulation and face the potential risk of losing personal and sensitive data due to data breaches.
In 2014, a former employee of a UK supermarket chain released the details of around 100,000 employees online. After a complex trial process, the ex-employee was sentenced to eight years in jail. Yet, the damage to that company’s employees was already done and irreversible. The personal details that were leaked included salaries, bank account details, national insurance numbers and dates of birth. Over 2,000 of the retailer’s current and former employees are now preparing a group claim against the retailer. Stating the failure of the company to implement appropriate measures to protect employee data, they are suing for risk of identity theft, bank account fraud and the potential negative impact on credit ratings. The case may be the biggest claim ever brought before London’s High Courts relating to a mass data breach. So far, the breach has reportedly cost the retailer more than £2m and a huge loss of reputation.
The example clearly shows that it’s not enough to focus solely on customer data, but that organizations also need to adequately protect employee data. The consequences of an employee-data breach for the employer may include high fines and loss of reputation, especially under the upcoming GDPR.
Beyond Swiss borders: Protecting employee data under the GDPR
The GDPR’s impact and applicability to (Swiss) organizations was addressed in previous blog articles. Now, I’d like to focus on the topic of protecting employee data. It deserves special attention as most (if not all) enterprises process personal details of their staff. Considering the GDPR’s widened geographical reach, Swiss organizations may fall in scope as well. I’ll discuss this using the following two examples:
Example 1: Swiss-based company with subsidiary in EU
A Swiss-based parent company has a subsidiary in Belgium. The employees of the subsidiary work and live in Belgium (and are employed at the subsidiary). They are responsible for the distribution of goods in the EU. The employee data is processed by a payroll provider in Switzerland.
The GDPR applies to organizations (controller or processor) that process personal data in the context of activities of an establishment in the EU [Art. 3 Par.1 GDPR]. The location, where the actual processing takes place, is irrelevant.
In the example above, there is an establishment in Belgium. Employees are performing activities connected to it by distributing goods in the EU. Therefore, personal data (i.e. employee data) is processed in the context of the activities of an establishment of a controller or a processor situated in the EU. Consequently, the processing of the employee data falls under the scope of the GDPR. The fact that processing by the payroll provider takes place in Switzerland does not change that.