How does a company like Veeva Systems, with 2500 employees globally and looking to expand to 10,000, handle the differing privacy regulations around the world? This is how, said Ashley Slavik, Senior Counsel and Data Protection Officer for the company, organizations need to develop core cultural ideas about how they want to run their company and treat their employees. Then she says, apply those across your organization. Then, when new regulations come into force — such as Europe’s GDPR — the rest is just a matter of application. “Our number one value is customer success, our number two value is our employees’ success,” Slavik said.
So when Veeva began thinking about how it would meet GDPR compliance for its internal operations, it already had certain actions in place. For example, it provides a privacy notice to employees upon their hire and it clearly identifies all the rights that employees have under the law, including GDPR in Europe. “It doesn’t need to be very long,” Slavik said. “It’s just the points of how you take in the data, what data you take in, where you’re planning to send it, and what they can do if they have any questions.”
Here, it is essential to note that GDPR applies to employees too. This will likely come as very unwelcome news to those companies already scrambling to prepare for the rule’s impact on its customer operations. But, as Slavik said, GDPR indubitably grants several rights to European residents and that does include employees.
Related Article: How Will the GDPR Impact Third-Party Lead Generation?
Employees’ Right To Be Forgotten
Chief among these rights — employees have a right to be forgotten too, albeit it is not an automatic right and certain conditions apply, said Clare Bullock, Data Protection Officer with Zuant. “In the context of employment, the legal basis for processing personal data is likely to be performance of a contract,” she said. “In these circumstances, an employer would only be required to erase an employee's data if it was no longer required for the purpose for which it was collected — i.e. the contract terminated.” One exemption may be in the case where an employer has a statutory obligation to retain the personal data, such as retaining records for tax purposes, she said.
Executing A Plan Amidst Uncertainty
As with all things GDPR, a company can trip up on the details of the execution. For example, Karen Schuler, the National Information Governance practice leader at BDO, said there is a debate around whether employers should require employees’ consent — as opposed to just informing them — on such decisions as to how long a resume and work record should be kept on file. With consumers, GDPR clearly states consent is required, but it is still unclear if employees have that same right about basic employment information.
But, as Michael Bahar, a partner and attorney at Eversheds Sutherland and the US leader of the global cybersecurity and privacy practice, pointed out — is an employee really in a position to give consent to his employer anyway? “Can you really consent if your job is on the line or if you have to read through ten pages before you provide it?”
Related Article: 5 Tips to Avoid Common GDPR Mistakes and Pitfalls
Unexpected Sources of GDPR-Related Internal Data
And just like with external operations, there are unexpected sources of GDPR-related data internally that a company must be aware of as it informs its employees about its data gathering, Schuler said. It will also need to know where this data is, should it have to erase the data upon the employee’s request. Recordings for training purposes and voicemail are two examples, she said. “What is ultimately going to happen to that data and how will it be used?” In particular, she said, “Voicemail is being very overlooked. I don’t think anyone is thinking about the years of voicemails they have going back.” One solution, she said, was to transcribe these voicemails so they can be analyzed.
Contracts with third parties—both from the company’s perspective and from the vendor’s perspective — is another source, she said. “No one really knows what a vendor is doing with data.”
Cross Border Data Transfers Are Also An Issue
Sharing personal data about employees — or clients for that matter — could be considered a cross border data transfer under the regulation, Bahar said. “There’s no exception for intra-enterprise communication,” he said. This restriction, needless to say, will make it difficult to collaborate with European colleagues. Conceivably, this applies to a host of related scenarios from employees’ contact details on an intranet to, in some circumstances, even a signature line in an email from a European employee to an American counterpart. “That can be a cross border data transfer,” he said — “names and telephone numbers are personal data.”
Handling these requirements is doable but difficult, Bahar said. “You have to go through your communications with a fine tooth comb to make sure you’re compliant.”