How does a company like Veeva Systems, with 2500 employees globally and looking to expand to 10,000, handle the differing privacy regulations around the world? This is how, said Ashley Slavik, Senior Counsel and Data Protection Officer for the company, organizations need to develop core cultural ideas about how they want to run their company and treat their employees. Then she says, apply those across your organization. Then, when new regulations come into force — such as Europe’s GDPR — the rest is just a matter of application. “Our number one value is customer success, our number two value is our employees’ success,” Slavik said.

So when Veeva began thinking about how it would meet GDPR compliance for its internal operations, it already had certain actions in place. For example, it provides a privacy notice to employees upon their hire and it clearly identifies all the rights that employees have under the law, including GDPR in Europe. “It doesn’t need to be very long,” Slavik said. “It’s just the points of how you take in the data, what data you take in, where you’re planning to send it, and what they can do if they have any questions.”

Here, it is essential to note that GDPR applies to employees too. This will likely come as very unwelcome news to those companies already scrambling to prepare for the rule’s impact on its customer operations. But, as Slavik said, GDPR indubitably grants several rights to European residents and that does include employees.

Related Article: How Will the GDPR Impact Third-Party Lead Generation?

Employees’ Right To Be Forgotten

Chief among these rights — employees have a right to be forgotten too, albeit it is not an automatic right and certain conditions apply, said Clare Bullock, Data Protection Officer with Zuant. “In the context of employment, the legal basis for processing personal data is likely to be performance of a contract,” she said. “In these circumstances, an employer would only be required to erase an employee's data if it was no longer required for the purpose for which it was collected — i.e. the contract terminated.” One exemption may be in the case where an employer has a statutory obligation to retain the personal data, such as retaining records for tax purposes, she said.

Executing A Plan Amidst Uncertainty

As with all things GDPR, a company can trip up on the details of the execution. For example, Karen Schuler, the National Information Governance practice leader at BDO, said there is a debate around whether employers should require employees’ consent — as opposed to just informing them — on such decisions as to how long a resume and work record should be kept on file. With consumers, GDPR clearly states consent is required, but it is still unclear if employees have that same right about basic employment information.

Learning Opportunities

Webinar
Review necessary steps to protect your business
Jun
8
Attracting—and Keeping—Your High-Net-Worth Investors
Join PwC to dissect their recent survey findings on a specific customer subset — high-net-worth investors.
Webinar
Discover the challenges that contact centers, AX, and CX face and how CAI-assisted applications can help solve them
Jun
13
The Future of Contact Centers with AI at the Helm
Learn how to balance human intuition and interaction with the potential uses of AI to create delightful and lasting CX
Webinar
How brands can deliver video experiences in many different ways using Cloudinary
Jun
13
Learn How to Deliver Dynamic Video Experiences at Scale
Learn how to convert existing assets into video experiences in near real-time.
Webinar
What data should be collected to achieve meaningful engagement
Jun
20
3 Steps to Unlock Your Customer Data and Drive Revenue
Discover how Twilio Segment’s #1 Customer Data Platform helps implement data-driven strategies.
Webinar
it’s ultimately the digital experiences you create that will drive the clicks and conversions that you want
Jun
21
Retail Reinvented: A Masterclass in Creating Digital Experiences That Click
Hear how online retailers architect their digital experience infrastructure for peak traffic and demand
Webinar
Solutions to source, hire and manage talent with specialized skills to fit your operational and performance goals while eliminating redundancy
Jun
27
Growth in the Face of Uncertainty: Nurturing Customer Experience in a Turbulent Market
Learn how to translate the concept of optimized customer success into an executable plan for success
Webinar
Review necessary steps to protect your business
Jun
8
Attracting—and Keeping—Your High-Net-Worth Investors
Join PwC to dissect their recent survey findings on a specific customer subset — high-net-worth investors.
Webinar
Discover the challenges that contact centers, AX, and CX face and how CAI-assisted applications can help solve them
Jun
13
The Future of Contact Centers with AI at the Helm
Learn how to balance human intuition and interaction with the potential uses of AI to create delightful and lasting CX
Webinar
Review necessary steps to protect your business
Jun
8
Attracting—and Keeping—Your High-Net-Worth Investors
Join PwC to dissect their recent survey findings on a specific customer subset — high-net-worth investors.
Webinar
Discover the challenges that contact centers, AX, and CX face and how CAI-assisted applications can help solve them
Jun
13
The Future of Contact Centers with AI at the Helm
Learn how to balance human intuition and interaction with the potential uses of AI to create delightful and lasting CX
Webinar
How brands can deliver video experiences in many different ways using Cloudinary
Jun
13
Learn How to Deliver Dynamic Video Experiences at Scale
Learn how to convert existing assets into video experiences in near real-time.
Webinar
Review necessary steps to protect your business
Jun
8
Attracting—and Keeping—Your High-Net-Worth Investors
Join PwC to dissect their recent survey findings on a specific customer subset — high-net-worth investors.

But, as Michael Bahar, a partner and attorney at Eversheds Sutherland and the US leader of the global cybersecurity and privacy practice, pointed out — is an employee really in a position to give consent to his employer anyway? “Can you really consent if your job is on the line or if you have to read through ten pages before you provide it?”

Related Article: 5 Tips to Avoid Common GDPR Mistakes and Pitfalls

Unexpected Sources of GDPR-Related Internal Data

And just like with external operations, there are unexpected sources of GDPR-related data internally that a company must be aware of as it informs its employees about its data gathering, Schuler said. It will also need to know where this data is, should it have to erase the data upon the employee’s request. Recordings for training purposes and voicemail are two examples, she said. “What is ultimately going to happen to that data and how will it be used?” In particular, she said, “Voicemail is being very overlooked. I don’t think anyone is thinking about the years of voicemails they have going back.” One solution, she said, was to transcribe these voicemails so they can be analyzed.

Contracts with third parties—both from the company’s perspective and from the vendor’s perspective — is another source, she said. “No one really knows what a vendor is doing with data.”

Cross Border Data Transfers Are Also An Issue

Sharing personal data about employees — or clients for that matter — could be considered a cross border data transfer under the regulation, Bahar said. “There’s no exception for intra-enterprise communication,” he said. This restriction, needless to say, will make it difficult to collaborate with European colleagues. Conceivably, this applies to a host of related scenarios from employees’ contact details on an intranet to, in some circumstances, even a signature line in an email from a European employee to an American counterpart. “That can be a cross border data transfer,” he said — “names and telephone numbers are personal data.”

Handling these requirements is doable but difficult, Bahar said. “You have to go through your communications with a fine tooth comb to make sure you’re compliant.”