Employee Data and the GDPR

The EU’s General Data Protection Regulation establishes conditions under which employees’ personal data can be processed. The regulation applies to organizations that are established in the EU regardless of whether the personal data that they process is of EU data subjects or not. It also applies to the processing of personal data by non-EU entities, where such processing is in the context of offering goods or services to data subjects in the EU or in the context of monitoring of the behavior of data subjects in the EU. Personal data is defined as any information relating to an identified or identifiable natural person. In practice, this means that data collections and reviews will nearly always involve the processing of personal data. Because of the GDPR, it is much more difficult to rely on an employee’s consent as grounds for processing. Another ground for processing will need to be identified, which can normally be the employer’s legitimate interest in reviewing the data. In some circumstances (e.g. employee surveillance) a documented impact assessment may be required.  Data should on be processed only when and to the extent necessary, and those grounds should be re-evaluated throughout the investigation. Additional requirements apply when personal data is being transferred from one jurisdiction to another. In general, steps should be taken to limit as far as possible the review of sensitive personal data.