Things to know for GDPR-proof handling of employee data

Written by Yung Shin Van Der Sype, KU LEUVEN

The General Data Protection Regulation (GDPR) has been adopted on 16 April 2016. After four years of preparation and negotiation between the EU institutions, the GDPR is ready to make “a high, uniform level of data protection throughout the EU a reality” (Jan Phillip Albrecht, German Green MEP).

Two years from now, in the first half of 2018, the new framework will come into force, with direct effect in all EU Member States. Hence, companies and organisations have two years to prepare for the major changes to come.


And things will change…

The objectives of the GDPR are to increase the rights of individuals, to strengthen obligations for companies and to increase sanctions for non-compliance. Besides confirming the established principles of data protection, the new framework introduces several new requirements for the processing of personal data in Europe.

The GDPR also covers the processing of personal data of employees. Even though certain specifications on national level will follow, in general, companies should start preparing for the new, stricter, data subject-friendly rules.

These changes are crucial for the research in the Dogana project. From a legal perspective, these changes further complicate the practice of Socially Driven Vulnerability Assessments in organisations and businesses.


About the national specifications…

Article 88 of the final text of the GDPR states that “Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer’s or customer’s property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship”. Hence, virtually all situations regarding the processing of personal data in the employment context are potentially subject to legal specifications at national level. It will be up to the Member States to notify the Commission those provisions of its law which it adopts in this regard, by two years from the data of entry into force of the GDPR.

Although those detailed national specifications are not known yet, the shape and direction of the GDPR novelties are known and clear. Cautious companies should therefore start making plans to implement the new data protection regime in their companies.


About what is going to change…

Companies will find more difficulties to rely on consent as a legal ground for the processing of employee data. Due to the hierarchical relationship between the employer and employee and the presumed pressure therefrom, employee consent for processing of personal data has been increasingly criticised. The GDPR clarifies that consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. Besides, when consent is given through a declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. Given that employees will have the right to ask the erasure of data for which the employee has withdrawn his/her consent, it is safer for companies to rely on different grounds for the processing of employee data.

In general, companies will have to consider the significant improvement of the data subject rights under the new framework. For example, companies will have to provide more detailed information to their employees about the processing of personal data.

The new Regulation focuses on accountability. Companies need to be able to demonstrate compliance. In line with this, the old notification obligation – to notify the data protection authority of data processings – will be abolished. Instead, (some) companies will have to appoint a data protection officer, will have to carry out privacy impact assessments, keep logs of data processing operations, etc.

The new framework introduces the new data breach notification requirement. The supervisory authority will be notified of personal data breaches within 72 hours. This notification shall described, for example, the nature of the breach, including where possible, the categories and approximate number of data subjects and personal data records concerned. The notification shall also describe the likely consequences of the breach and the measures taken or proposed to be taken by the controller. Companies should start preparing a notification program for breaches that occur under their control.

Another point of interest for companies follows from the objective to increase sanctions of non-compliance. In order to ensure a consistent level of protection throughout the Union, the GDPR introduces fines for some infringements of even up to 4% of the company’s annual turnover.

The last change highlighted in this short blogpost relates to the transfer of personal data outside the EU. The GDPR introduces Binding Corporate Rules as a lawful means of transferring personal data to group undertakings outside the EU. Those Binding Corporate Rules shall be approved by the competent supervisory authority if the conditions laid down in Article 47 of the GDPR are met.


In short…

It’s time for action. Although 2018 looks far away today, time flies when one has so much to prepare for.


by Yung Shin Van Der Sype (KU LEUVEN)

This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618




The DOGANA phishing videogame

Want to try it?
Read more here and contact us


Phishing: awareness through play

Want to try it?
Read more here and contact us


Contraband pixels and texts
Read all about our liteary-graphic competition on phishing and social engineering

All the pictures and novels