Years in the making but officially enforceable in May 2018, GDPR, or General Data Privacy Regulation, transformed the way companies collect, display and share data electronically and beyond. While the original proposal targeted consumer data, and particularly how businesses treated their customer data, a natural extension moved towards the privacy regulations affecting employee data, or their personal identifiable information (PII) as well.
In Madison’s white paper, “Understanding the Broad Reaches of GDPR as it Applies to Employees and the Workplace,” the expansion of GDPR was designed to give “complete control to individuals over their data regardless of where it is stored, or how it is processed.” As the components for compliance are widespread, organizations across the globe have reorganized their data management systems, redefined how they collect and utilize data on their websites and in their databases, and established strict security protocols to protect against breaches. Not doing so can result in hefty fines and interruptions to business operations.
While the commission originated in the European Union (EU), the reach extends to any organization that could be doing business in an EU country or with any individual connected to the EU. It is truly global-wide. Since the introduction of the GDPR, there have been other regulations introduced via country and/or state and local ordinance, like 2020’s California Consumer Privacy Act (CCPA) and the newly introduced Virginia Consumer Data Protection Act (VCDPA) which will become effective in January 2023.
While both state privacy acts are predicated on the guidelines set forth in the GDPR, they take privacy regulations further and in some instances offer additional compliance measures specific to their ordinances. California, a year after the enactment of CCPA, further defined individual data rights when it passed the California Privacy Rights Act (CPRA) which details additional regulations and guidelines for data privacy, including business qualifications for compliance, creating new data categories according to high sensitivity and more.
While the concepts of the new mandates have been heavily written about and highly publicized in terms of their intent and purpose, it’s important to also indicate the practical output of these changes.
1. What have organizations and individuals noticed since GDPR and other privacy acts have been enforced?
Some changes may go unnoticed, especially when it comes to how organizations needed to upgrade their data management systems and particularly the security and encryption methods they use to protect, store and transfer data. At your company, you may have met new Data Security and Compliance officers who are heavily trained in data privacy regulations and are responsible for keeping up with and adapting to GDPR-esque mandates. Access level to employee data may also have gotten a bit tighter; there will a limited few individuals that can work with personal information of the organizations’ employees.
There are some actions that are certainly more visible to both the employer and the employee, like:
It’s important to note that employees are to be fully covered with data privacy rights as individuals, the same as consumers. They have rights to access their data files, request data corrections and provide consent to what data is shared and for what purpose, among many other protection measures for personal identifiable information.
2. So, if all employee data is considered personal identifiable information, how can we freely partake in a worthwhile employee rewards and recognition program?
Undoubtedly, many components of an R&R program are innately based on PII. Your work anniversary, a milestone, birthday, your photo for Employee of the Month, even recognizing you by name in a publicly accessible social media platform – are all forms of personal identifiable information.
As GDPR became more widespread in 2020, Madison addressed areas that may indeed fall under the realm of PII and how it can be used for recognition and rewards purposes. In just one example, Alex Alaminos, President and CEO of Madison, noted: “A social recognition system in the market today has to have the option to send an employee recognition privately or publicly. It has to be so configurable that you can easily turn on or off the social activity aspect—the ability for me to give you an e-card that can go into an activity feed, for example—depending on a company’s location.”
In a GDPR-compliant world, organizations must take great care to ensure consent for what, how, and if any, personal data can be shared and displayed. Consent forms will require line items specifically addressed to these practices, even when companies are congratulating someone and recognizing them for their achievements.
Operating amidst GDPR and other PII protection laws
While the foundation of most regulations are based on GDPR principles, it is clear that data integrity and privacy is a fluid concept and will continue to be updated. We can expect to see more state-wide policies enacted in the future; states such as Colorado and Nevada in addition to the afore-mentioned states have already established privacy-based laws and others are soon to follow.
A potential impact to both businesses and consumers is of course the rate of change to rules and regulations, and simply having the knowledge and foresight to accommodate new changes. This would apply to individuals knowing and understanding their rights as well as businesses having the capacity to implement any infrastructure to comply with new mandates. That is why it is crucial when working with an organization that provides a service related to any individual’s personal identifiable information that they have in-depth knowledge and the tools in place to manage compliance against any data-privacy related laws.