Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Another GDPR Gotcha: HR and Employee Data

Have I mentioned recently that if you’re following the usual data security standards (NIST, CIS Critical Security Controls, PCI DSS, ISO 27001) or common sense infosec principles (PbD), you shouldn’t...
Michael Buckbee
3 min read
Published April 20, 2018
Last updated October 21, 2021

Have I mentioned recently that if you’re following the usual data security standards (NIST, CIS Critical Security Controls, PCI DSS, ISO 27001) or common sense infosec principles (PbD), you shouldn’t have to expend much effort to comply with the General Data Protection Regulation (GDPR)? I still stand by this claim.

Sure there are some GDPR requirements, such as the 72-hour breach notification, which will require special technology sauce.

Get the Free Essential Guide to US Data Protection Compliance and Regulations

There’s also plenty of fine print that will keep CPOs, CISOs, and outside legal counsels busy for the next few years.

US Professional Service Companies Beware!

One of those fine points is how the GDPR deals with employee records. I’m talking about human resource’s employee files, which can cover, besides all the usual identifiers (name, address and photos), personal details such as health, financial, employee reviews, family contact information, and more.

EU-based companies and US companies that have been doing business in the EU have long had to deal with Europe’s stricter national laws about employee data.

The GDPR holds a surprise for US companies that are not consumer-oriented and thought that the new law’s tighter security and privacy protections didn’t cover them. In fact, they do.

I’m referring particularly to US financial, legal, accounting, engineering, and other companies providing B2B services that are not in the business of collecting consumer data.

Let me just say it: the GDPR considers employee records to be personal data — that’s GDPR-ese for what we in the US call PII.  And companies that have personal data of employees – and who doesn’t – will have to comply with the GDPR even if they don’t have consumer data.

So if a US accounting firm in the EU has a data breach involving the theft of employee records, then it would have to notify the local supervisory authority within the 72-hour window.

There’s another surprise for US companies. Even if they don’t have a physical presence in the EU but still have employees there — say French or Italian workers are telecommuting — then their employee records would also be covered by the GDPR.

Employees Have Data Privacy Rights

And that also means, with some restrictions, that employees gain privacy rights over their data: they can request, just as a consumers do, access to their personnel files, and have the right to correct errors.

There’s even an employee “right to be forgotten”, but only when the data is no longer necessary for the “purposes for which it was collected”. Obviously, employers have a wide claim to employee data so it’s easy to see that most employee file are protected from being deleted on demand.

But no doubt they’ll be instances where the “right to be forgotten” rule makes sense. Perhaps a vice president of marketing makes a request to HR to take a one-month leave of absence to study bird life in Costa Rica, has second thoughts, and then asks HR to delete the initial application based on his GDPR rights.

More importantly, employees also have the right to consent to the processing of their data. This particular right is not nearly as straightforward as it is for consumers.

Since employee privacy rights under the GDPR are far from simple, law firms and attorneys are filling the Intertoobz with articles on this subject, especially on the consent to processing loopholes.

As it happens, I came across one written by Sara Jodka, an attorney for Columbus-based Dickinson Wright, that is mercifully clear and understandable by non-attorney life forms.

The DPIA Surprise

The key point that Jodka makes is that since employers have leverage over employees, it’s hard to for the consent to processing to be “freely given”, which is what the GDPR requires.

Typically, an employee has given consent to processing of her data as part of an employment contact. But since the employee likely had no choice but to sign the contract in order to get the job, the GDPR does not consider this freely given.

So how do employers deal with this?

There is an exception that the GPDR makes: if the employer has “legitimate interests”, then consent is not needed. To prove legitimate interest, the company will have to document why its right to the data outweighs the employee’s privacy rights. Essentially, in the one-sided employer-employee relationship, the employer has the burden of proving it needs the data since consent is not generally required.

Though there are some different legal opinions on  the types of employee data covered by legitimate interests, sensitive data involved with monitoring of employee computer usage, their location, or perhaps event their travel plans will definitely require employers to take an extra step.

They will have to perform a Data Protection Impact Assessment or DPIA.

On the IOS blog, we’ve been writing about DPIAs for quite a while. It’s required for the processing of sensitive data, such as racial, ethnic, or health-related. Employee records that contain this information as well as monitoring data will fall under the DPIA rule, which is spelled out in article 35.

In short: companies using the legitimate interest exception for processing employee records will likely also be conducting data assessments that include analyzing the processing, evaluating the security risks involved, and proposing measures to protect the data.

If you’re finding this a little confusing, you are not alone. However, help is on the way!

I interviewed Sara Jodka earlier this week, and she brilliantly explained the subtleties involved in protecting employee records under the GDPR, and has some great advice for US companies .

Stay tuned. I’m hoping to get the first part of the podcast up next week.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

securityrwd-–-github-secret-scanning-could-create-false-sense-of-security
SecurityRWD – GitHub Secret-Scanning Could Create False Sense of Security
Microsoft recently announced they would be adding another layer of security to their popular code repository, GitHub, by scanning for "secrets" (API tokens, access keys, etc. inadvertently saved in the platform). However, as Kilian Englert and Ryan O'Boyle from the Varonis Cloud Architecture team discuss, this positive first step shouldn't lull developers into a false sense of security. Listen in to hear why it's so important not to let your guard down when securing critical cloud apps and data.
threat-update-72---what-is-saas-security-posture-management-(sspm)?
Threat Update 72 - What is SaaS Security Posture Management (SSPM)?
Kilian and Ryan O'Boyle from the Varonis Cloud Architecture team cover what Secure Access Service Edge (SASE) is all about, and dive into other security considerations organizations should keep in mind when looking to "decentralize" their network architecture.
threat-update-73---what-is-a-cloud-access-security-broker-(casb)?
Threat Update 73 - What is a Cloud Access Security Broker (CASB)?
Kilian and Ryan O'Boyle from the Varonis Cloud Architecture team cover what Secure Access Service Edge (SASE) is all about, and dive into other security considerations organizations should keep in mind when looking to "decentralize" their network architecture.
threat-update-69---what-is-secure-access-service-edge-(sase)?
Threat Update 69 - What is Secure Access Service Edge (SASE)?
Kilian and Ryan O'Boyle from the Varonis Cloud Architecture team cover what Secure Access Service Edge (SASE) is all about, and dive into other security considerations organizations should keep in mind when looking to "decentralize" their network architecture.