How do you protect your employees' personal data?

The General Data Protection Regulation (GDPR) went into effect on 25 May 2018. This European Regulation lays down the ground rules for the collection, use and security of personal data. It concerns personal data of your employees, but by extension, data of customers too.  

Personal data is a broad term. It's not just about classic data (such as name and surname), but also reports, evaluation forms, photos at the staff party or training, etc.

Not following the rules of the game? Then you risk a significant fine. For example, a fine of 15,000 euros was imposed by the Data Protection Authority (GBA) on an SME that refused to close the mailboxes of former employees.

The GDPR matter is a complex one. The conceptual framework is not simple, and there are various obligations, such as a documentation obligation and an information obligation. Employers often don't know where to start. This roadmap can give you a nudge in the right direction:

1. Map out personal data using a processing register (data registry).

This registry replaces the former declaration to the GBA, and is part of your documentation requirement. In the event of an audit, you can expect the request for this register for sure. The processing register must be continuously updated. 

2. Identify the legal basis on which the processing is done.

There are 4 legal grounds:

• execution of the agreement;
• legal obligation;
• legitimate interest;
• consent of the person concerned. 

In the case of the data subject's consent, it is stated that such consent must be free, explicit and informed.

3. Keep in mind the retention periods for this personal data.

The data should not be kept longer than strictly necessary. So you need to work with rules specific to applicable local regulations to map out these retention periods. As part of transparency, you also provide these retention periods by topic in the processing register.

4. Be aware of your information obligation. 

For example, you must inform your employees what data is being processed, the retention periods, the right to information if it is necessary to correct the data, etc.

As part of this information obligation, you must also record what ground rules are used internally with regard to the handling of customer data, access to customer data, any sanctions in the event of a breach of these agreements.

You can regulate your information obligation in this context by working with a specific privacy policy, for example.