Accurate and timely data is essential for successful Diversity, Equity and Inclusion Initiatives and other critically important programs, but when data collection activities collide with the GDPR risks may escalate. Here’s what you need to know:
In the U.S., companies may request that job applicants provide information regarding gender, sexual orientation, ethnicity, veteran status, physical disabilities and other sensitive topics (“Sensitive HR Data”) on a strictly voluntary basis. In some instances, there may be a legal obligation to do so (e.g. employers with 100 or more employees are required to annually submit a report with data on race and gender to the Equal Employment Opportunity Commission to identify potential discriminatory employment practices). Increasingly, however, Sensitive HR Data is critical for Diversity, Equity, and Inclusion (“DEI”) initiatives and other programs to make informed decisions regarding resource allocation, establish priorities, and implement solutions. When data collection activities expand to other jurisdictions, companies must be prepared to make necessary adjustments to comply with applicable data protection laws.
U.S. companies are often prepared to take into account employment and non-discrimination laws when collecting and processing Sensitive HR Data in foreign jurisdictions, but the impact of data protection laws may not be top of mind. For purposes of illustration, consider the potential impact of the European General Data Protection Regulation (the “GDPR”), which is the most important privacy law of the European Economic Area (the “EEA,” i.e. all countries of the EU plus Iceland, Liechtenstein, and Norway), and the United Kingdom (the “UK”). Under the GDPR, “sensitive information” receives special protections during collection, processing and data transfer activities. Moreover, member state law may be more restrictive than GDPR, and limit the kinds of sensitive data collected in the context of employment, and/or specify security measures to protect such data. GDPR compliance is essential, but companies must also ensure that applicable member state laws are properly addressed.
US companies seeking to collect Sensitive HR Data in the EEA/UK and transfer it to the US in compliance with the GDPR should consider the following factors:
Collection Activities. As a threshold matter, companies should strictly apply the principle of data minimization and only collect the data that is necessary for accomplishing their stated purpose(s), and nothing more. All candidates for employment must receive comprehensive notifications that include, among other items, the types of information collected, the purpose(s) of collection, the anticipated length of time the data will be retained or the factors that will determine the retention period, and an easily understood explanation of the applicants’ rights with respect to their personal information. The notifications should be provided at the time of collection, so that the applicants’ decision to provide the information (or not) is fully informed. Applicants should further be informed that whatever their decision it will have no impact on employment decisions.
Establish a Legal Basis for Processing. The GDPR requires a recognized “legal basis” for the collection and processing of personal data, and companies should be prepared to provide adequate supporting documentation. If, for example, the applicable legal basis for collection and processing of sensitive information is the company’s “legitimate interest,” the company must have conducted an evaluation and documented the results. More specifically, the company must undertake to balance the potential employer’s legitimate interest in collecting and processing sensitive information for purposes of supporting critical programs such as DEI initiatives, against the employees’ data privacy rights. Where the legal basis for collection and processing sensitive information is consent, companies must ensure that the consent is freely given, informed, and explicit, document the consent, and advise the applicant that consent may be revoked at any time (with instructions on how to revoke consent). Companies should be aware that some member states consider it impossible for employees to freely give consents to their employers because the relationship is inherently coercive; prior to relying on consent, care should be taken to investigate local laws that might extend this reasoning to job applicants.
Processing Restrictions. All companies should restrict access to Sensitive HR Data to only those individuals within the organization that have a demonstrated need to access it for performance of their job functions, implement a written policy that governs the collection, processing, and transfer of Sensitive HR Data as well as additional security measures. All employees granted access should receive regular training that emphasizes the sensitive nature of the information, and provides clear instructions on implementing the policy. The Sensitive HR Data should be aggregated and/or anonymized as soon as reasonably possible after collection, and retained for the minimum period of time necessary to accomplish the stated purpose(s).
Data Protection Impact Assessment. The GDPR requires that organizations conduct a Data Protection Impact Assessment (“DPIA”) when data processing activities are likely to result in a high risk to the rights of the individuals. Guidance on this issue states that a DPIA should be performed when at least two of a number of risk factors exist, among them the processing of sensitive data, processing data of vulnerable data subjects (which includes employees), and transferring data outside the EEA/UK. Since these risk factors will exist if a company collects and transfers Sensitive HR Data for purposes of supporting DEI initiatives, it will need to conduct a DPIA before doing so.
Designation of a Data Protection Officer. The GDPR requires the appointment of a Data Protection Officer (DPO) where, among other things, its core activities involve the processing of sensitive data on a large scale. While the decision often turns on the specific facts of a situation, the collection and processing of Sensitive HR Data regarding job applicants may involve large amounts of sensitive data; as a result, a U.S. company may be required to designate a DPO.
Data Transfers to the US. Where there is a need to transfer Sensitive HR Data from the EEA/UK to the US, appropriate safeguards must be in place to ensure protection of the data, such as the Standard Contractual Clauses (SCCs). Companies should be prepared to explain the reasons for the transfer, including why further processing activities cannot be performed as well in the EEA/UK. Anonymized data is no longer regulated by the GDPR, so whenever feasible Sensitive HR Data should be anonymized and aggregated promptly after collection and in any event prior to any data transfer.
Regulatory Oversight and Penalties. US companies should note that any violation of the GDPR that involves sensitive personal data is more likely to be viewed as “severe” by the data protection authorities. Severe violations are subject to potentially higher fines and penalties.
Conclusion. The critical importance of Sensitive HR Data for the success of DEI initiatives and related programs creates strong incentives for U.S. companies to expand data collection activities to the EEA/UK and beyond. In the EEA/UK there is an equally compelling need to comply with the GDPR, which means that any efforts in that direction must be undertaken carefully with appropriate preparation. Any organization considering collection and processing of Sensitive HR Data in the EEA/UK would be well-advised to pro-actively mitigate risk by adopting the recommendations set forth above.