Much has been written about the importance of managing client data in the era of GDPR. However, many firms may be overlooking a vital issue when it comes to their own internal investigations.
The rules surrounding data privacy have become much more complicated in the last few years. GDPR, plus a number of other international regulations, create fresh regulatory issues some of which firms may not be aware of.
At the same time data is growing in volume and complexity. Keeping a handle on it all is becoming increasingly complex. The use of cloud storage brings issues of cross border data transactions, third party problems and multiple jurisdictions which can be difficult to manage.
Data processing is an extremely wide ranging term under GDPR and, as we’ve written elsewhere, the penalties for getting it wrong can be quite extensive. Employee data must be treated just as carefully as client data, which means people must have given fully informed consent for all the ways in which data will be used. Even when consent has been obtained, it can’t always be relied upon for investigations.
At the same time firms must keep employees informed about what data they store, how it may be shared and with whom. As in all walks of life, employees are increasingly aware of their data rights and may well enforce them during an investigation.
How should you respond?
It’s a difficult tightrope to walk and there’s a fair chance many companies are unwittingly leaving themselves open to non compliance.
So, what lessons can be learned?
First, investigations teams must have a clear idea of the boundaries, what data they can analyse and how it can be used. They should put in place clear policies in place which ensure investigators understand how they can use data, and that only data which is relevant for the purposes of that investigation is used.
When working across multiple jurisdictions it may be necessary to obtain legal advice. GDPR has set the template for other regulators, but each takes their own individual spin on the concept. For example, China’s data privacy regulations, although closely modeled on GDPR, adopts a much looser approach to the idea of consent. Understanding which data belongs in which jurisdiction and making sure all applicable regulations are being complied with, is complicated and challenging.
Consent must be managed.
A firm must have a reasonable basis of holding any data and inform all employees about how their data will be used and their rights. If an investigation is carried out they will need to be handed notices informing them about the way in which their data will be used.
This is extremely important. Individuals have become much more informed about GDPR and how it applies to them, and may use that power as part of any investigation. Authorities are also showing themselves to be increasingly willing to go further in applying the details of GDPR for employees.
Companies should take time to look again at their policies, to ensure they are achieving the same level of compliance for employees as they already have for clients. You can find out more about what’s required in an excellent insight article by Dispute Resolution Lawyer David Harris on our Global Regulatory Database.