Where data privacy is concerned the main thrust of the discussion has been around the protection and consequence deriving from a breach of customer data. This is the topic that receives the most attention from the media, government and has the largest impact on a company’s bottom line. However, there is another side of data privacy which EU corporations need to consider – employee data privacy rights.
Overseas, employees have nearly the same amount of rights as consumers on how their PII is used and by whom. As with other data privacy regulations, such as GDPR, failing to comply can result in fines as high as 50,000 euros for the misuse or mishandling of employee data.
When receiving a request for employee data the following factors must be taken into consideration:
- Who is making the request?
- What is the data being used for?
- How long is the timeframe, or duration, of the request?
- Has the statute of limitation expired?
Employee data is used across the organization – HR systems, IT applications and business operations just to name a few – making it critical that organizations identify all the places that the data may reside. Furthermore, an organization must have the right infrastructure, data management strategy and network monitoring in place to be able to answer these questions, plus others. Organizations with multiple divisions or geography locations should be on the same platform, or have coordination of data.
This is all very similar to the motions an organization needs to go through to secure customer data – know where your critical data is, monitor it, capture and record it, and automate as much as possible for effectiveness and efficiency.
Earlier in the blog, a failure to comply fine was described. However, employees have the ability to sue companies for the following – the right to compensation for pain, the right to compensation, the right to make an action and to leave the contract, the right to work under the law of labor and supervision. In extreme cases, in addition to a prohibition to operate their own IT, the loss of certifications and association charges would also be possible.
This only adds to the complexity of data privacy knowledge an organization must possess. To fully understand the regulations and compliance requirements, organizations should rely on data privacy attorneys and/or TUV data privacy officers.
To learn more about this subject, we invite you to read an interview between CSPi’s Rainer Olschewski, an attorney and TÜV certified data protection officer, and “We Know Security”.