For most of the years that Facebook has existed, Mark Zuckerberg, has come under extreme scrutiny because of the misuse of data collected through Facebook. These have included the claim that Facebook influenced the Donald Trump election and allegations of selling on personal information to third parties. It was reported that during the presidential campaign leading up to Trump’s victory, a service provider to the Trump campaign covertly used personal data from Facebook from millions of people to influence this campaign. Following this, Mark Zuckerberg admitted that his company was partially responsible and promised to take action.
Now there is an allegation that data is being collected on non-users and Mark Zuckerberg conceded that his social media platform is also responsible for collecting data on people who are not even signed up to Facebook, asserting that this was a precautionary measure. Mark Zuckerberg publicly claims that he takes the issue of personal privacy and the individual’s data very seriously, but does he? And what about his operational staff, which is in charge of protecting our details, turn a blind eye to data leaks?
So what can we as organisations learn about how to handle data? What are the issues we need to address?
General Data Protection Regulation (GDPR) – who is responsible and liable?
Since May 2018, the new GDPR regulations have been in force, and all companies based in the EU or having employees who are based in the EU must abide by these new regulations, particularly in the case where companies control and keep track of their employees’ behaviour. Such controls of employees by their employers are not specified within these regulations but probably refer to the control and review of employees’ actions with the intention to utilise such information to make employment-related decisions such as performance-related or disciplinary actions.
In reality, when you consider the existing and emerging technology that most employers will need employees based in the EU to utilise during their day-to-day work, such employers with employees based in the EU will probably be tracking their employees’ actions and must therefore abide by these regulations. Therefore, even companies that are located outside the EU will need to abide by the GDPR when it comes to their employees that are based in the EU, even if they have no corporate presence there. These companies must designate someone to represent them within one of the Member States where they have employees.
What actions must employers take?
The overall principles in the GDPR will be familiar to employers (because they are based on previous legislations). However, some important factors have been changed. The most crucial of these is the fact that consent by the employees is required for use of their data within the employment arena.
Should employers depend on employees’ consent to utilise their information?
To date, most employers bank on their employees’ authorisation to utilise their personal information, and top-level agreement to processing of data is often included in the contract of employment. However, under the new GDPR, the situation has changed and for such authorisations to be legal, the employee must have given these freely; such authorisations must be specific to the use that will be made of the information. Additionally, the employee can revoke this authorisation at any time. The GDPR stipulates that since employers can be seen to have controlling power over their employees, employees can rarely give free authorisation. This means that it will be problematic for employers to bank on employees’ consent to utilise their employees’ personal information.
Where should employers focus instead of banking on employees’ authorisation?
An employer can base their legal arguments in favour of employees’ processing personal data on other basis apart from authorisation or consent. A company is legally justified to process such personal data for the following reasons:
- If this is essential to abide by the contract of employment e.g. the processing of the employees’ bank account details that is needed for the employer to pay salaries.
- If this is a legal requirement e.g. sickness leave information must be processed to ensure payment of sick leave.
- The employer is entitled to protect its interests and this will offset the employees’ rights to privacy.
What actions should you as an employer take to abide by the new GDPR?
You should audit your standard employee documents such as contracts of employment and any standalone data processing authorisations from employees. For both new and existing employees, we suggest that employers change the language of consent in such documentation with new text that refers to the legal arguments mentioned above. For your existing personnel, we recommend that you issue notifications that explain that you are processing their information based on these legal arguments mentioned above.
What are the risks for companies who do not comply to the GDPR?
Companies who do not abide by the GDPR are liable to be fined up to €20 million, or 4% of the company’s (or the entire group’s) annual turnover. This is considerably greater than the previous fines before this new regulation came in force.