How the GDPR Apply to Employee’s Personal Data

People ask a lot of questions about the General Data Protection Regulation (GDPR), which is going to be enforced on May 25, 2018. Employees ask how the GDPR apply to their personal data. The GDPR gives the same protection to employee personal data just like consumer or customer personal data. Therefore, institutions that are changing their systems to abide by the GDPR should also adjust the systems that process personnel or employee information. The employees’ rights to ask for replicates of their information are likewise similar to customers and consumers. Organizations that do not manage employee data properly could be penalized just like when they break the rules on handling data of consumers or clients.

The Human Resources (HR) Department has to have a strong working knowledge of the GDPR given that it manages most of the information regarding employees. The changes could mean including additional steps to the seemingly straightforward administrative work, for example asking for consent to process employee’s personal data particularly the information which are not related to work.

Previously, the employee’s personal data may be simply made part of the employment contract. However this is not anymore the case with the GDPR in effect. Article 7 of the GDPR does not allow processing of a person’s personal information as part of employment contract signing. Authorization to process employee personal data should be requested separately. The request should be made distinctly distinguishable from other things. While HR has a legit reason to process selected data associated with employment, the employee must completely understand which data it is and how HR could and could not process it. The employee should also freely provide his consent to process his data. If the GDPR perceives that the consent is given as a condition to the satisfaction of a contract, then the consent can be considered not freely provided and for that reason invalid.

The HR ought to clearly distinguish the personal data to be processed and the reason behind it. An audit will help tag employee data the HR is retaining that aren’t directly relevant to employment. The employee must provide his agreement for HR to hold on to those data prior to the enforcement of the GDPR. Or else, HR should remove the data. The audit could also help distinguish outdated or incorrect data. The GDPR requires companies to maintain updated data. Reasonable step must be taken to make sure that erroneous personal data are fixed or erased.

HR must implement the required technical and IT defenses to prevent unauthorized access to employee information. Data should not be unintentionally or illegally destroyed, modified, lost, saved, shared, transmitted or otherwise processed. In the event that HR breaks any of the rules mentioned, it could signify GDPR violation, which subsequently result to penalties and sanctions.

About Christine Garcia 1310 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at