Three takeaways on Employee Privacy from IAPP GPS 2024by Josh Schwartz
Last week the Phaselab team attended the IAPP’s Global Privacy Summit, and one of the most interesting sessions we saw was a great panel on HR-related privacy. For companies with global workforces, managing employee privacy in compliance with local privacy laws is incredibly complex, and we wanted to highlight a few of the most important takeaways for our team. If your company has a global workforce or if you’re thinking of expanding globally, read on!
Employee access requests expand to California
Access requests from (ex-)employees are notoriously time-intensive and expensive. They also have a reputation for being geographically constrained — although they’re allowed by privacy laws in a wide number of jurisdictions, the UK and some EU countries have generated the vast majority of requests. But that may be beginning to change: in a telling moment in the talk, the panelists asked audience members to raise their hands if they’d received an employee DSAR from California, and nearly half of the hundreds of attendees raised their hands.
Employee data governance is becoming a must-do
Privacy teams are used to thinking about data generated by their products and data used in marketing and advertising, but have spent relatively little time with their HR leaders. The converse is true as well: HR teams are typically not used to thinking about things like data governance, automated decision making, or consent and opt-out. But employee privacy is becoming an increasingly important issue and leaders of both privacy and HR need to start collaborating. Privacy leaders need to ensure that HR systems are included in data maps and subject to data minimization policies. Meanwhile, HR leaders need to ensure that the processes they put in place follow privacy laws, for example that automated resume review doesn’t run afoul of automated decision-making regulations.
Where HR Data collects. Panel slide from Global Employee Data Management – Avoiding HR Hell with Heavenly HR Governance
Consent gets complicated
Many companies, especially those in the US, include language in employee contracts like “you consent that you should have no expectation of privacy” when using work equipment. For international companies, this likely isn’t appropriate: this might seem like standard legal boilerplate, but it’s also explicitly defining your legal basis of processing employee data — something that’s required under the GDPR — and specifying that consent is your legal basis. Critically, consent must be freely given, and it isn’t clear that this is possible in an employment context. Additionally, if you’re relying on consent for processing employee data, you also have to have mechanisms in place for allowing employees to opt-out — something most HR teams aren’t prepared to do. There are numerous other alternative legal bases, for example specifying that data is being processed for the performance of a contract between the employer and employee. Each of these comes with their own obligations, so it’s critical for privacy and HR teams to collaborate to determine what’s appropriate.
If you’re working to implement privacy programs for a global workforce, we’d love to learn about your challenges and see how our tool for managing employee privacy can help. Reach out to me at josh@phaselab.co to learn more!