Data Protection In The Workplace: Everything You Need To Know

Since May 2018, all data belonging to citizens of EU member states has been subject to the General Data Protection Regulation (GDPR). Central to the GDPR is the notion that personal data, which is any information relating to an identified or identifiable natural person, represents value. As such, any organization that holds such valuable information is obligated to protect it. Since its implementation, GDPR has had an enormous effect on organizations both in-and-outside of the EU. 

That impact has mostly been felt with regards to the data organizations hold regarding external individuals - customers, relations, prospects, etc. However, the individuals inside the organization are equally important. While most organizations may hold some amount of potentially sensitive data for external data subjects, employee information is held by every single one. 

Employee data is, of course, subject to the same legal protections as personal data about external persons. In fact, this information is especially protected, due to the sensitive nature of the information companies hold on their employees. 

In this article, I will present answers to some of the most frequently asked questions about data protection in the workplace. 


What is employee data protection?
Is employee data covered by GDPR?
How does the data protection Act protect employees?
What are the effects of improper employee data protection?
What are the common techniques for global protection of employee data?
Wrapping up: HR as a security advocate 


What is employee data protection? 

Employee data protection is the act of ensuring that applicable privacy and data protection laws are followed regarding employee information. This means, of course, ensuring the data is stored securely, but also informing employees when the organization shares all or any of their data with a third party. 

Generally, employee data protection includes: 

  • Safeguarding the information: ensuring the information is protected and shielded from cyber-attacks;
  • Keeping employees informed about who is given access to their data, and why;
  • Ensuring employees are aware and informed about their rights;
  • Ensuring minimal access: access to personal data should only be provided if necessary;
  • Have retention policies in place. This applies especially to employees who have moved on or applicants whose application was unsuccessful.
  • General awareness of privacy and data protection laws. This is especially relevant to employee monitoring. 

Is employee data covered by GDPR? 

As far as GDPR is concerned, the law makes no distinction with regards to data subjects being internal or external. This means that GDPR absolutely covers employees. For companies inside the EU, this means all data on all employees is subject to GDPR. Art. 3, GDPR makes clear it applies when any part of the processes it controls occur in the EU, or when the data subject resides there. 

Essentially, Article 3 means GDPR applies when: 

  • The data controller is in the EU. For employee data - if the employer is in the EU, GDPR applies.
  • A data processor is in the EU. Is anything done with the data inside the EU? GDPR applies. This includes storage.
  • The data subject is in the EU. Regardless of whether they are employees or freelancers, if they reside in the EU, GDPR applies. 

How does the data protection Act protect employees? 

By considering employees as data subjects, GDPR affords employees the same degree of protection. This means that the employer must treat this data as extremely valuable and sensitive. Of course, employees are somewhat limited in terms of how many of the rights they have can be exercised: the right to be forgotten does not apply, for obvious reasons.

Still, the employer needs to respect the rest of GDPR. This means the core principles of the regulation as laid out in Art. 5 apply: 

  • Lawfulness, fairness, and transparency. Employer should strive to be open and fair regarding the collection and use of personal information.
  • Purpose limitation. Essentially, do no more with the personal information than necessary.
  • Data minimization. Employers should keep no more personal information on their employees than they need to perform their duties towards them.
  • Accuracy. The information kept should be accurate, and employees have a right to rectify information at any time.
  • Storage limitation. When no longer needed (i.e. when employment is terminated), the information should be removed in a reasonable timeframe.
  • Integrity and confidentiality. To quote directly from GDPR: “... protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.” 

If a breach of these principles occurs, the privacy authority can be notified, and sanctions may be applied. These sanctions are flexible and are by no means set in stone. That said, the impact can be significant. Lesser violations can be fined by up to €10 million or 2% of global revenue (whichever is higher). More severe violations go up to €20 million or 4% of global revenue (whichever is higher). 

While these numbers are very big and scary, they are very flexible. Glancing at the enforcement tracker for GDPR shows an extremely wide range of fines. At their extreme, a GDPR fine is eye-popping: the impressive €746 million fine of Amazon in 2021 comes to mind. Generally speaking, fines are more modest than that. 


What are the effects of improper employee data protection? 

Aside from the legal consequences of GDPR violations detailed above, an employer that fails to protect the data of its employees incurs reputational damage. The employee(s) in question may lose faith in the organization and its ability. It isn’t unreasonable to think that this loss of confidence will affect other employees, too. Such reputational damage may damage morale. 

If the violation is severe enough, the media may get involved and cause further reputational damage, which may complicate recruitment efforts in the future. Potential customers or business partners may also shy away due to trust issues. Essentially: “if they can’t protect the data of their own, then why would I trust them with my data?” 


What are the common techniques for global protection of employee data? 

In order to ensure that employee data is properly protected, HR departments must insist that employees’ information is treated the same way any other information is. From an IT point of view, making use of secure platforms is important. 

Furthermore, the policies implemented in the company should unambiguously reflect the rights provided to employees by law. That goes for the employee handbook, in which a clear outline and overview of GDPR rights should be provided. It also applies to the data retention policy, in which there should be attention given to the information of applicants, employees, and former employees. 

If a data breach does occur, tools should be in place to react quickly and decisively. There is no way to be 100% secure against data breaches, of course. IT and HR policies can encourage good habits and fortify security, however, policies and tools should also be put in place to deal with a data breach once it occurs. 


Wrapping up: HR as a security advocate 

As detailed above, it’s obvious that data protection isn’t solely the domain of IT and Legal. HR can, and indeed should, take a seat at the table when it comes to the security of employee data. Working with partners in both legal and IT, policies can be drawn up to make sure that the day-to-day activities comply with applicable privacy and data protection law. What’s more, HR can prepare for compliance in case of crisis by preparing playbooks and tools to deal with the consequences.