How the General Data Protection Regulations Impacts Employees

GDPR Report: Part 2 In this second of our two part blog, we discuss how employees will be affected by the new General Data Protection Regulations (GDPR) coming into force in May 2018 and what companies need to do to comply. Read Part 1 here, "Impacts of new GDPR for your People Systems and HR Data".

What your employees need to know about GDPR

As an organizational leader, you may no doubt be well-versed about the implications of the new GDPR that is expected to change the way employee data is handled forever. However, do you have a plan to communicate the changes to your employees? You certainly don’t want to leave employees to try and piece together information about the GDPR on their own. It is a complex requirement that warrants a clear explanation because it impacts the use of employee data.

Communicating with employees

Here is some general content you are welcome to use in your discussions with employees and any associated communications about the GDPR: The General Data Protection Regulation (GDPR) is a new data security initiative that comes into effect from May 2018. It impacts any organization that’s either headquartered or has offices in the UK. Under the GDPR, any company that collects, stores, or transmits employee-owned data must do so with enhanced security measures which include the use of EU-only servers and additional precautions in place to protect this data. All third-party vendors must also comply with GDPR. This means, your data belongs to you and you have the responsibility to opt-in to its use and understand that it is only to be used for strict business purposes. 

Protecting consumer data - why it matters so much

According to a new report issued by Risk Based Security, cybercrime is up at an alarming rate. Globally, data theft has reached record-breaking levels, with more than 4.2 billion records stolen in just 2016 along (that’s 3.2 billion more records than in 2013). More than half of information breaches were reported by businesses, including heavy emphasis on medical institutions and government agencies. The protection of consumer data should be the number one priority of your business, because this is where the damage is done. Just one leak of personal data can result in hundreds of thousands of dollars in stolen identity claims and a lifetime of worry for victims. In 2015, British insurance company Lloyd’s estimated that cyber-attacks can cost businesses upwards of $400 billion annually, but by 2019, this number looks to be more like $2.1 trillion globally, based on Juniper Research data -- quadruple the costs in just the last few years.

Dispelling employee fears about the GDPR with education

Employees are likely to be alarmed by these facts, and rightfully so. Imagine the impact of falling prey to a cybercriminal and having one’s personal data stolen at work? There is a huge amount of trust that goes into supplying personal information with an employer. This is especially the case when employees are then asked to provide even more personal thoughts, such as through employee 360-degree feedback surveys or when registering for work benefits. It’s critical to gain and hold onto this trust by having an educational campaign in place to explain the GDPR with employees and the procedures your company has put into place to keep employee information safe 24/7.

Guidelines for compliance with GDPR

There are some general guidelines that you can use now to comply with the GDPR requirements. Now is the time to start preparing for this event. Jerry Pett, CEO and co-founder of Thymometrics has provided some helpful guidelines in Part 1 of our special blog, "Impacts of new GDPR for your People Systems and HR Data". Here are some additional considerations for your organization:
  • Start determining why employee data is stored in certain systems and run an audit to determine the level of security for each system. It could be time for a more streamlined approach with an HRIS solution that reduces risk.
  • Establish the proper safety protocols for gathering data during onboarding of new hires, the use of third-party cookies with web browsers, and specifics of how data should be used, stored, and processed.
  • Create an opt-in document for all employees to allow the business-only use of their personal data as shared during hire, benefits enrolment periods, and when used for employee surveys.
  • Develop a comprehensive educational program around the topic of GDPR that answers all the most common questions that employees may have. Integrate this with your other data security programs.
  • Use a standard digital opt-in statement that requires a signature each time new data is being shared. Make sure it clearly states the purpose for gathering this information, how it will be stored and shared, and why it’s being requested.
  • Appoint a point of contact information security officer to field any employee questions or concerns about data safety and sharing.

Using vendors that are GDPR compliant

It is also critical that a full audit of your current vendors is performed now to determine their level of knowledge about GDPR mandates and if they are taking steps to protect your employee data. This includes the housing of data in the EU, including servers. Companies that use international servers found in other countries are not GDPA compliant. The good news is that Thymometrics is already fully compliant with GDPR requirements. We have long taken extreme caution in how employee data is handled and our servers are local in western Europe. This means you do not have to worry about how your employee engagement data is protected - the security of your data is of paramount importance to Thymometrics.
If you'd like to find out more about how the new General Data Protection Regulations might affect your employees, speak to Thymometrics: email, call +1 646 760 9323 (US) or +44 (0) 1223 750 251 (Europe) or visit Image courtesy of jk1991 at