What are the GDPR Restrictions on Employee Data?

You may think that you know everything there is to know about the General Data Protection Regulation (GDPR), but the rules dealing with employee data are different to those which deal with the data of individuals who engage with a business or organisation as a customer or potential customer.

Why HR activity is high risk

If you think about it carefully, you can understand why HR activities within a business or organisation are considered high risk, in terms of the GDPR. Businesses and organisations tend to hold sensitive personal data relating to employees, such as information relating to health or criminal convictions. This means that the processing activities of the HR function are always likely to be high risk.

It is important that businesses and organisations address this risk, as they could be subject to action taken by employees if not, and be found to be in breach of GDPR.

Why Employee Consent is Not Enough

One of the interesting points to note, about processing employee personal data in line with GDPR rules, is that it is not in fact sufficient in itself to have received the employee’s consent. This is because employees are considered to be ‘vulnerable’ due to their dependent relationship with the employer. In order to process an employee’s personal data, the employer must prove that there is a legitimate reason for doing so.

Such a reason may be:

  • To enable an employment contract to be fulfilled.
  • To comply with legal requirements.
  • In connection with a legitimate interest of the employer.

Employers need to complete a Data Protection Impact Assessment (DPIA) in order to prove that the legitimate reason outweighs any potential negative impact on the employee.

As you can see, there needs to be great emphasis placed on complying with GDPR rules, in respect of dealing with the personal data of employees. Not doing so could lead to businesses and organisations facing fines and other sanctions.