GDPR – urgent update for digital workplace and intranet leaders
With just over a month of preparation to go, the General Data Protection Regulation or GDPR is no doubt occupying considerable time for intranet and digital workplace specialists. If you’re a subscriber to Intranetizen (surely everyone is, right?), then you’ll see some communications from us in the very near future as we close out our preparations, but what should you be doing to be prepared for the new legislation. We’ve discussed GDPR before so today we’ll attempt to get practical and direct you as best as we can.
Get your skates on – the clock is ticking. There’s not a lot of time left before GDPR becomes law* on May 25, but with potential fines for non-compliance running at 4% of worldwide turnover, doing nothing simply isn’t an option. So where should you start?
What data do you have?
What data are you collecting, storing or using and do any of these data sets contain the data from European residents? GDPR is very specific in its reach meaning that you may work for a non-EU company, domiciled outside of Europe, but if you’re working with data from EU-residents, then you’re obliged to meet the standards laid down by GDPR. If it’s employee data, GDPR still applies.
- Can you demonstrate that you are only capturing those data points that you strictly need and no more?
- Can you demonstrate that you’re using it strictly for the purpose originally specified?
- Can you demonstrate that you’re keeping the data for no longer than strictly needed?
If you answered no to any of these questions, you likely have a GDPR compliance issue to resolve.
Individuals have a right to be informed about the data on that you have, what you intend to do with that data, the data retention period and who you intend sharing that data with. This includes data on current and former employees.
Do you have freely given consent for this data?
For every piece of data, you will need to have demonstrable, explicit permission for storage and use and in the case of employee data, that consent needs to be freely given without detriment. There can be no coercion and no punishment for an employee not giving permission. You cannot do any more blanket captures – storing everything in the off chance that it might be of value later. You can only keep what is strictly necessary, for the original pre-defined reasons and only for an agreed timeframe.
If consent is withdrawn, can you erase?
A critical feature of GDPR is the right for the owner of the data to be forgotten. At any stage (and without prejudice, particularly for employees), an individual has the right to be forgotten by you. To enact, you will need to readily identify all the data you have on that person and be able to delete it fully.
Anonymised or aggregated data, such as that you might have in an analytics tool, is not impacted by GDPR assuming that you cannot identify the individual (pseudoanonymous is not good enough for compliance.
Right to access and rectification
GDPR includes the right for an individual to access the data you have on them and to do so for free except in exceptional circumstances. Further, an individual has the right to rectify errors or complete incomplete records if they so wish.
How are you processing that data?
There are six legitimate reasons that you have for processing data. If any one of these applies, you can process someone’s data (but some are unlikely in a digital workplace context)
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. This will include contracts of employment for example
- Legal obligation: the processing is necessary for you to comply with the law
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
For example, you may use a tool to manage your company’s email like Campaign Monitor, Newsweaver or Poppulo. In order for those tools to use individuals data, you’d need to ensure that you have a passed one of these six checks. You’ll also need to be very clear who has access to the data, including in those third-party organisations.
Individuals have the right to request restriction or even suppression of their personal data under certain circumstances meaning you have the legal right to store it but not to use it.
Next Steps
Once you’ve gathered your answers from the sections above, go and speak to an in-house lawyer. GDPR has significant teeth and you need authoritative legal advice that we are not qualified to give.
Summary – TL;DR
- May 25 is fast approaching and it’s likely that you’ll have to make some changes to the way you handle data to be compliant.
- Start a data audit now if you have not already done so
- If you’re using an analytics tool, you will likely have to make changes and/or seek new consents.
- Benjamin Ellis has written some excellent words on this topic
- Speak to an in-house lawyer for specific guidance
Great overview, Jonathan, thanks. The people directory is often the cornerstone of an intranet. and the obvious implications here are for the employee database (e.g. Active Directory) . We hear stories of staff members asking for their photo to be removed form the directory but could a staff member in theory request not to be included at all on the Intranet Directory or have profiles in their company ESN?
The answer would lie in consent types outlined in the legislation. It’s unlikely that you have pre-existing, explicit consent from employees to put their details on active directory.
So maybe there’s permission granted by virtue of their employment contract with them? That seems likely but I expect legal departments will seek to strengthen those clauses.
Could someone ask to be removed? Yes in theory. For employees, the request for removal (or the act of removal itself) must be done without prejudice. However, I think it could be successfully argued that someone would be unable to do their job without being on an ESN (or certainly AD) and as such, removal would not be possible without termination of some kind. Ultimately, I expect companies to call this is “legitimate interests”.
TL;DR
I don’t expect there is explicit consent except via employment contracts.
I don’t think an employee could realistically be asked to be ‘forgotten’ by an ESN/Active Directory.
I think businesses would define such storage as legitimate interest.
Also… (I forgot to add) what do you think the implications are for keeping Activve Directory (or equivalent) more up to date?