An interview with Vasileia Lellou, LL.M., Attorney at Law, CIPP/E., Data Protection Officer
1. What do you think is the biggest HR data protection challenge in the age of Covid and why?
Data protection and HR were always in a close relationship due to the fact that almost all companies have employees. So, they have to process employee data.
According to my experience, the biggest HR challenge is the lawful processing of personal data. This also applies in the age of Covid. HR is responsible for collecting and storing the necessary personal data of the employees. The big challenge here is to collect only data that are necessary on a lawful basis. That means that HR always needs a solid reason for collecting these data, e.g., legal requirement, employment reasons. This is always tricky because companies think that they need more data from their employees than it is actually necessary. We can all imagine that this challenge became bigger in the age of Covid. Especially in the beginning of the pandemic, when things were not that clear, companies were not sure how employees could enter the building, what data should be collecting, how illness information should be stored or how people may be allowed to process data while working from home. A lot of businesses were ready for that, but the most not. So, they started sharing a lot of data also in order to make it possible to work from home. Then another challenge arose, how could HR safely get access to or transfer data while being at home. How can on- and off-boarding take place remotely?
In general, I would say that organizations with good data protection structures were able to adjust and implement fast new processes. Organizations with poor or no data protection structures within HR had to really struggle in order to adapt and be able to move towards data protection compliance. So, the biggest challenge in these cases was and is the remote management of employee data, also related to applicants and new entries.
2. Many employers – everywhere – have implemented practices to protect the workplace from the spread of Covid. a. What practices are most common in the EU? b. What are the usual challenges related to data privacy?
- This is true. The most common practices in the EU, are among others:
- The implementation of remote working
- If necessary, the presence of reduced numbers of people in the offices
- In this case, physical access can be granted only to vaccinated or tested or recovered employees under specific time requirements
- Physical separation through glass or other measures
- Mandatory wearing of mask
- Thermal screening
- Usual challenges:
- Databases – physical storage of personal data – retention and deletion schedule
- Access rights management
- IT infrastructure (cost)
- Legal basis for collecting the data
- Are you seeing any employer practices that run afoul of the EU reg’s? What kind of practices are they and why are they problematic?
Most companies try to adjust their practices and achieve compliance with the EU General Data Protection Regulation (GDPR) and further local applicable laws. Of course, this is not always the case, especially if the compliance plan would settle a significant obstacle for the economic growth of a company. And this is where long discussions with the data protection consultants begin.
I acknowledge that being data protection compliant is not always the best way for the business to grow, at least at a first glance. Sometimes this means more cost, more time, more resources that could be used in another sector (sales, management) and bring profit to the business. On the other hand, not being compliant always implies a risk. A risk for the reputation of the company or fines. The last years, we all have seen that really big fines are being imposed on organizations failing to comply with data protection rules (missing information notices, data breaches, misuse of client data). So, now companies understood that data protection matters and are taking serious steps to set up a compliant mechanism. Based on my experience, I can assure you that there is always a way in order to accomplish both goals: stay compliant and allow the business to grow, involving no or at least low risk.
So, to answer your question, yes, I have seen practices that are not data protection friendly. Usually, these practices involve the provision of information regarding the personal data processing that is not communicated properly or on time to the affected data subjects. Another issue, is the non-legitimate transfer of date, for example because the respective contract is missing or the transfer does not have a legal reasoning. I think there are various reasons for that. Sometimes the decision makers are simply unaware of data protection requirements, for example when gathering more health data than actually needed. Other times, because the business grow is more important, companies keep, for example, client data longer than allowed and for other purposes than gathered.
However, as I mentioned above, fortunately awareness is growing and better practices are being implemented continuously.
- What actions are you seeing employers take to comply with the data protection regulations?
First of all, employers engage internal or external a data protection specialist or a team of specialists. The next step is to identify the weaknesses of the company in this area. For this purpose, my team and I conduct an audit/risk assessment in order to understand the business and identify where action is needed. Depending on the structures of the company and the experience of the data protection specialist this step can take some days or months. After that, together with the companies we work out an action plan in order to implement the defined measures and processes for compliance.
The most common measures include the implementation of technical and organizational measures. For example:
- Privacy by design and default for tools
- Access management
- Review of contracts´ management and data protection clauses
- Check of third-party providers
- Identification of data flows and internal/external transfers
- Performance of trainings to raise awareness.