Skip to main content

EU Data Protection Legislation: Is your employee data safe?

The past year has seen a flurry of high-profile data security breaches in the news, with the exposure of customer details and credit card information frequently hitting the headlines.

While this has - quite rightly – made companies more careful in guarding against customer data theft, it’s critical they take a similarly vigilant approach when dealing with their own employees’ data. With the EU due to reform its data protection legislation later this year, companies who fail to comply are set to face serious financial and legal ramifications.

The US government was recently embroiled in the debate when its database was breached and data belonging to at least 21.5 million people was stolen, millions of government employees among them. Despite incidents like this helping to raise awareness around data protection issues, many companies still have no set procedures in place for handling employee data.

This provides considerable cause for concern when you consider that this data could easily be used in identity theft. If hackers gained access to benefits data for example, they would have visibility of staff home addresses, information on their dependents, their medical history, social security numbers, salary and bank details. Imagine if that happened to you. How violated would you feel knowing that a stranger held such personal information and could use this to de-fraud you?

Indeed, the fines suggested are indicative of the weight the EU places on this. If current proposals go ahead, uncompliant companies could be forced to cough-up as much as €100m or 5 per cent of global revenue, depending on which is higher. With the Council of the EU recently reaching what it describes as “a general approach” on the new Data Protection Regulation, with a view to reaching overall agreement before the end of the year, companies are fast running out of time to reform their data protection processes.

According to the Council of the EU, the proposed regulation will “enhance the level of personal data protection for individuals” and “increase business opportunities in the Digital Single Market”. The aim is to harmonise the current laws across the EU member states and to provide a higher common standard of data protection. As the proposal is for regulation rather than a directive, it will be directly applicable to all EU member states without the need for national implementation of legislation.

While some will welcome clarity provided by the regulation, certain aspects of the proposal are likely to worry British companies. In the UK, there is currently no legal requirement for companies to self-report on data breaches, meaning that your personal data could have already been stolen and you may not even know.

A large part of the problem comes from a general lack of education. Outside of IT departments, most members of staff are simply unaware of the risks involved in data transfer or the need to encrypt data. Instead many are still using excel documents and emails to transfer confidential financial employee data to insurers and pension providers. Even large multinationals, with well-established data protection processes, often fail to replicate best practice in smaller head count locations. This simply should not be happening. Companies must implement data protection processes universally, as they have a duty to their employees which includes protecting their sensitive data, no matter where they’re based.

For many companies, ensuring that they are compliant will mean a complete overhaul of their data protection procedures before the regulation is implemented. Even companies with fewer than 250 members of staff may need to consider hiring dedicated information security officers to take on the responsibility of protecting employee data. If not already planning for this, organisations risk becoming unstuck when the proposed legislation comes into force.

However, simply reviewing internal processes will not be enough. Under the proposed regulations, any company or individual that processes or holds data that could be used to identify an individual, will also be held responsible for its protection. While this means third parties such as cloud providers, will need to be extra vigilant, it’s the data owners that will ultimately be responsible for properly vetting all organisations that handle their data. If sufficient checks are not carried out, companies could be accused of negligence and be held accountable for any losses an employee suffers as a result of a breach. Organisations will need to think about how they can protect themselves in every way possible. Ensuring that data is stored in a private cloud is one way to do this. Any third party cloud provider should know where your data is located at all times and ensure that no data leaves that location unless instructed to.

Another way is to use an online employee benefits portal to automate data processes. In order to determine benefit eligibility, employers must hold a range of incredibly sensitive data, including medical history and number of dependants. Using a benefits platform removes the risk of manual error and adds a data security wrapper around sensitive data during transfer. It also allows for data to pass between an organisation and a third party securely and that the technology environment is globally consistent.

Organisations that use cloud providers based outside the EU will be subject to the same rules. In fact, the most recent negotiations concluded that organisations transferring personal data on EU citizens outside of the European Economic Area will be subject to even tighter regulation.

The next meeting of the “trilogue”, the European Commission, the European Parliament and the Council of the European Union, is scheduled for later this year.

While the changes introduced by these new requirements might initially appear a burden, compliance means that employees will be far more in control of their data and that the chances of data loss will be greatly reduced. The most important piece of advice I’d give employers is act now - and be prepared.

Chris Bruce, Managing Director of Thomsons Online Benefits