HR/Benefits professionals need to collect a lot of employee data.
Names, social security numbers, ethnicities, benefit plan elections … and the list goes on. The point is, HR collects very personal, personal data.
What if that data were comprised? What if that data were misused?
Worse, what if YOU were the one misusing it?
Recently, Google was slapped with a €50 million fine (or about $56.7 million) for violating the EU’s recently enacted General Data Protection Regulation (GDPR). The GDPR is a broad set of new regulations to protect the personal data of a wide set of individuals, including any organizations that employ EU residents, offer goods and services to EU residents, monitor the behavior of EU residents and, of course, protects the personal data of any EU resident.
Now think about it. Google’s worth is over 100 billion dollars. So, a fine of $50 million is essentially chump change. But for other organizations, a data privacy violation can come about like the big bad wolf — it can huff and puff and blow your organization to the ground.
What actually constitutes a violation?
In Europe, sensitive data subject to regulations constitute what’s considered “special category” personal data or, data that refers to the most sensitive types of personal data. For example, medical information, political affiliation, religious or philosophical views, sexuality, and any information revealing racial or ethnic origin.
Someone is always watching
According to the recently filed evidence, Google violated user privacy with their ad auctioning system which “unlawfully” profiles internet user’s (sometimes embarrassing) search history. Think, substance abuse, sexual orientation, cancer, mental health, right- or left-wing politics. Thousands of third-party companies that take part in Google’s ad system get access to this data and also get to advertise to those users typing in their personal questions.
Creeped out yet?
While new evidence keeps piling up against the tech giant, HR professionals need to take note of this latest data drama installment as it could (and should) influence how they manage the data of their employees.
The GDPR reach is long — and can definitely affect businesses in the U.S.
The case above illustrates the actual reach of GDPR and the ability for the EU to levy fines and sanctions against U.S.-based entities which should now be a concern for everyone. If you work with international partners, these regulations need to be at the top of your list of considerations as the fines for violations are hefty.
If you’re thinking that because you’re based in the U.S. and only work with U.S.-based partners and that you aren’t susceptible to fines, take note; GDPR paints broad strokes regarding who is protected under these regulations. Despite being based in the U.S., some businesses could be considered data owners under GDPR and therefore held under the same criteria as those directly operating in the EU — as Google has found out first hand.
As an HR professional, you need to be prepared and very cognizant of the protections you put in place (as well as your vendors) to protect employee data such as:
- Getting consent from users to use their data.
- Making sure all employees are aware of your privacy practices.
- Giving timely responses to requests from your users about their information.
Although benefits technology companies handle user data in a wholly different way than tech companies like Google or Facebook, we must be prepared in every way to make sure our customers’ employees’ data is protected and our privacy standards and protections are at their highest and fully compliant. Fortify with steel, so the wolf doesn’t come knocking on your door.
Want to learn more about GDPR and a list of compliance questions to ask internally or externally read our blog below.
