POPULARITY
This week, we're covering the U.S. Department of Labor's (DOL's) decision to halt enforcement of the Biden-era independent contractor rule, the upcoming EEO-1 reporting season (starting on May 20), and New York State's new labor law amendment, reducing damages for first-time frequency-of-pay violations. DOL Halts Enforcement of Independent Contractor Rule The DOL will no longer enforce the Biden-era independent contractor rule, which sought to tighten the criteria under which a hired worker can be considered an independent contractor for purposes of the Fair Labor Standards Act. The agency will now revert to the less stringent "economic realities" test. EEO-1 Reporting Begins Soon The proposed 2024 EEO-1 Component 1 data collection season is scheduled to begin on May 20, with a deadline to file by June 24. As expected, Component 2 pay data collection will not be required this year or in the coming years. New York Amends Labor Law to Limit Damages in Frequency-of-Pay Lawsuits New York Governor Kathy Hochul signed into law a budget bill that includes an amendment to the New York Labor Law that dramatically limits the relief employees can seek for first-time violations of frequency-of-pay provisions. Visit our site for this week's Other Highlights and links: https://www.ebglaw.com/eltw390 Subscribe to #WorkforceWednesday: https://www.ebglaw.com/subscribe/ Visit http://www.EmploymentLawThisWeek.com This podcast is presented by Epstein Becker & Green, P.C. All rights are reserved. This audio recording includes information about legal issues and legal developments. Such materials are for informational purposes only and may not reflect the most current legal developments. These informational materials are not intended, and should not be taken, as legal advice on any particular set of facts or circumstances, and these materials are not a substitute for the advice of competent counsel. The content reflects the personal views and opinions of the participants. No attorney-client relationship has been created by this audio recording. This audio recording may be considered attorney advertising in some jurisdictions under the applicable law and ethical rules. The determination of the need for legal services and the choice of a lawyer are extremely important decisions and should not be based solely upon advertisements or self-proclaimed expertise. No representation is made that the quality of the legal services to be performed is greater than the quality of legal services performed by other lawyers.
This week, we're covering the relaxation of state-level non-compete rules, the recent block of Executive Order 14173's diversity, equity, and inclusion (DEI)-related certification requirement, and a federal appeals court's decision to pause a challenge to the Biden-era independent contractor rule. Non-Competes Eased in Kansas and Virginia Kansas has enacted a law permitting non-competes while setting requirements for non-solicit provisions. Additionally, effective July 1, 2025, Virginia will prohibit non-compete agreements for non-exempt employees. Federal Contractor DEI Rule Blocked In a lawsuit brought by Chicago Women in Trades, a federal judge paused a rule from Executive Order 14173 requiring federal contractors to certify that they don't operate DEI programs that violate anti-discrimination laws, citing unclear definitions of “illegal” DEI programs Independent Contractor Rule in Limbo The U.S. Court of Appeals for the Fifth Circuit paused a challenge to the 2024 independent contractor rule, allowing the U.S. Department of Labor time to consider revising or replacing it. For now, the Biden-era rule remains in effect. Visit our site for this week's Other Highlights and links: https://www.ebglaw.com/eltw387 Subscribe to #WorkforceWednesday: https://www.ebglaw.com/subscribe/ Visit http://www.EmploymentLawThisWeek.com This podcast is presented by Epstein Becker & Green, P.C. All rights are reserved. This audio recording includes information about legal issues and legal developments. Such materials are for informational purposes only and may not reflect the most current legal developments. These informational materials are not intended, and should not be taken, as legal advice on any particular set of facts or circumstances, and these materials are not a substitute for the advice of competent counsel. The content reflects the personal views and opinions of the participants. No attorney-client relationship has been created by this audio recording. This audio recording may be considered attorney advertising in some jurisdictions under the applicable law and ethical rules. The determination of the need for legal services and the choice of a lawyer are extremely important decisions and should not be based solely upon advertisements or self-proclaimed expertise. No representation is made that the quality of the legal services to be performed is greater than the quality of legal services performed by other lawyers.
This week, while recognizing that it's far from “business as usual” in California and keeping our friends and clients in mind, we look at a new ruling in California regarding Private Attorneys General Act (PAGA) arbitrations. We also examine a federal appeals court decision limiting the authority of the National Labor Relations Board (NLRB) and the flurry of new employment laws taking effect in 2025. PAGA Ruling in California In what's seen as a win for California employers, the California Court of Appeal recently ruled that every PAGA action necessarily includes an individual PAGA action. Third Circuit Limits NLRB's Authority Over the last year, the NLRB expanded its enforcement priorities and tested the limits of its authority. But the U.S. Court of Appeals for the Third Circuit finished 2024 with a rebuke of those efforts, curbing the NLRB's authority to order legal relief. New Employment Laws in 2025 A new year brings new laws and regulations, many of which took effect on January 1. Employers can stay up to date on local and state laws and regulations by downloading our Wage & Hour Guide for Employers app, which is updated each February. Visit our site for this week's Other Highlights and links: https://www.ebglaw.com/eltw374 Subscribe to #WorkforceWednesday: https://www.ebglaw.com/subscribe/ Visit http://www.EmploymentLawThisWeek.com This podcast is presented by Epstein Becker & Green, P.C. All rights are reserved. This audio recording includes information about legal issues and legal developments. Such materials are for informational purposes only and may not reflect the most current legal developments. These informational materials are not intended, and should not be taken, as legal advice on any particular set of facts or circumstances, and these materials are not a substitute for the advice of competent counsel. The content reflects the personal views and opinions of the participants. No attorney-client relationship has been created by this audio recording. This audio recording may be considered attorney advertising in some jurisdictions under the applicable law and ethical rules. The determination of the need for legal services and the choice of a lawyer are extremely important decisions and should not be based solely upon advertisements or self-proclaimed expertise. No representation is made that the quality of the legal services to be performed is greater than the quality of legal services performed by other lawyers.
In this episode, Darnley uncovers the chaos caused by the MOVEit hack, a massive data breach affecting millions worldwide. Learn why hackers exploited vulnerabilities to steal sensitive data from major organizations and what it means for personal and global security. Tune in for insights on staying safe in an increasingly vulnerable digital world.Click here to send future episode recommendationSupport the showSubscribe now to Darnley's Cyber Cafe and stay informed on the latest developments in the ever-evolving digital landscape.
"In today's episode, Aj dives into a compelling concept: the real value of tracking the journey of an idea—from its spark of inspiration to its tangible impact in the market and within your business. He shares insights on why understanding this timeline is crucial, and how it can reveal hidden opportunities and drive meaningful change. Tune in for some thoughtful perspectives that might just shift the way you think about innovation and execution
Did u hear? # 37 Amazon and McDonalds Employee Data Breach and more Challenges of Faith Radio has also made (10/23/24) the following leaderboards on Goodpods: #3 in the Top 100 Author Monthly chart #11 in the Top 100 God Monthly chart #19 in the Top 100 Author All time chart #22 in the Top 100 Health Monthly chart
The Cybercrime Magazine Podcast brings you daily cybercrime news on WCYB Digital Radio, the first and only 7x24x365 internet radio station devoted to cybersecurity. Stay updated on the latest cyberattacks, hacks, data breaches, and more with our host. Don't miss an episode, airing every half-hour on WCYB Digital Radio and daily on our podcast. Listen to today's news at https://soundcloud.com/cybercrimemagazine/sets/cybercrime-daily-news. Brought to you by our Partner, Evolution Equity Partners, an international venture capital investor partnering with exceptional entrepreneurs to develop market leading cyber-security and enterprise software companies. Learn more at https://evolutionequity.com
Prepare to be spellbound this Halloween as we cast a magical twist on the realm of trade secrets and restrictive covenants! Whether you're a Gryffindor at heart or more of a Slytherin, there's something for every magical mind seeking to safeguard their organization's trade secrets. In this episode of Spilling Secrets, Epstein Becker Green attorneys A. Millie Warner, Jill K. Bigler, and Aime Dempsey team up with Kristen O'Connor—Senior Assistant General Counsel, Employment at Marsh & McLennan Companies—to wave their legal wands over topics such as Professor Snape's secret potion book, Hermione's clever jinxes, and much more. Visit our site for this week's Other Highlights and links: https://www.ebglaw.com/eltw366 Subscribe - https://www.ebglaw.com/subscribe/. Visit http://www.EmploymentLawThisWeek.com. This podcast is presented by Epstein Becker & Green, P.C. All rights are reserved. This audio recording includes information about legal issues and legal developments. Such materials are for informational purposes only and may not reflect the most current legal developments. These informational materials are not intended, and should not be taken, as legal advice on any particular set of facts or circumstances, and these materials are not a substitute for the advice of competent counsel. The content reflects the personal views and opinions of the participants. No attorney-client relationship has been created by this audio recording. This audio recording may be considered attorney advertising in some jurisdictions under the applicable law and ethical rules. The determination of the need for legal services and the choice of a lawyer are extremely important decisions and should not be based solely upon advertisements or self-proclaimed expertise. No representation is made that the quality of the legal services to be performed is greater than the quality of legal services performed by other lawyers.
Igor Karpovich, CRO of Aniline, joins us to discuss their groundbreaking generative AI platform. Aniline specializes in identifying, analyzing, and categorizing employee perception data, transforming it into actionable insights for businesses. Igor shares how Aniline's technology acts as a large-scale employee focus group, helping companies understand key issues and pain points. He delves into Aniline's diverse use cases, from B2B sales to risk assessment in M&A transactions. Igor also offers valuable insights on effective website design for lead generation and shares his perspective on leadership in revenue management.
Our fifty-first podcast is brought to you by Matt Crawford and Melissa Thomas. This week they look at the European Court of Justice upholding a 2016 decision that Ireland is required to recover 13 billion Euros from Apple and the Upper Tier Tribunal sides with HMRC in their case against Stuart Barnes regarding his employment status. Matt discusses changes to the data employers are required to provide to HMRC regarding hours worked by employees and Melissa discusses how HMRC is an unlikely fan of the Oasis reunion.See omnystudio.com/listener for privacy information.
This week, we're looking at recent state-level changes and legal trends that have varying degrees of impact on employers. Massachusetts Pay Equity Law Massachusetts is the most recent state to enact a pay equity law. The law establishes new pay range disclosure requirements for employers that employ 25 or more employees in Massachusetts. Illinois Amends BIPA Illinois' new law limits penalties under the Biometric Information Privacy Act (BIPA) and clarifies consent procedures. Employers can now be held liable only for a single violation per person rather than for each alleged use of biometric data. Michigan Supreme Court Reinstates Wage and Leave Laws In Michigan, employers will have to reckon with a new decision from the state's Supreme Court that reinstated two laws that were created through a public initiative. One law provides for annual increases to the minimum wage and a gradual elimination of a wage differential for tipped workers, while the other expands paid sick leave obligations. Federal Courts Strike Down Controversial Florida Laws In Florida, a federal district court judge permanently blocked the state's Stop WOKE Act, which restricted workplace diversity, equity, and inclusion training. And a different federal judge in Florida overturned the state's ban on transgender health care. Visit our site for this week's Other Highlights and links: https://www.ebglaw.com/eltw356 Subscribe to #WorkforceWednesday: https://www.ebglaw.com/subscribe/ Visit http://www.EmploymentLawThisWeek.com This podcast is presented by Epstein Becker & Green, P.C. All rights are reserved. This audio recording includes information about legal issues and legal developments. Such materials are for informational purposes only and may not reflect the most current legal developments. These informational materials are not intended, and should not be taken, as legal advice on any particular set of facts or circumstances, and these materials are not a substitute for the advice of competent counsel. The content reflects the personal views and opinions of the participants. No attorney-client relationship has been created by this audio recording. This audio recording may be considered attorney advertising in some jurisdictions under the applicable law and ethical rules. The determination of the need for legal services and the choice of a lawyer are extremely important decisions and should not be based solely upon advertisements or self-proclaimed expertise. No representation is made that the quality of the legal services to be performed is greater than the quality of legal services performed by other lawyers.
In today's episode, we discuss hackers exploiting a critical vulnerability in D-Link DIR-859 routers (CVE-2024-0769), compromising user credentials (source: https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-d-link-dir-859-router-flaw-to-steal-passwords/). We also cover Microsoft's recent notification about the widespread impact of Midnight Blizzard's password-spray attacks on enterprise emails (source: https://www.cybersecuritydive.com/news/microsoft-customers-compromised-threat-group/720173/). Lastly, we highlight a data breach at Geisinger, affecting over 1 million patients due to unauthorized access by a former Nuance employee (source: https://www.geisinger.org/about-geisinger/news-and-media/news-releases/2024/06/24/18/17/geisinger-provides-notice-of-nuances-data-security-incident). Video Episode: https://youtu.be/17B6IbSaarg Sign up for digestible cyber news delivered to your inbox: news.thedailydecrypt.com Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Tags: Hackers, D-Link DIR-859, flaw, passwords, routers, network security, Microsoft, Midnight Blizzard, Sunburst attacks, enterprise email, cyber threats, Geisinger, data breach, sensitive data, IT security Search Phrases: How to secure D-Link DIR-859 router Hackers exploiting D-Link router flaws Midnight Blizzard Microsoft email breach Sunburst attacks enterprise impact Geisinger data breach patient safety Identifying misuse after a data breach Microsoft enterprise email vulnerability Protecting sensitive data from hackers Steps to secure outdated routers Recognizing red flags in data records
London Drugs Employee Data posted on the Dark Web GUEST: Andy Baryer, Tech and Digital Lifestyle Expert at http://HandyAndyMedia.com Why Burnaby's response to the housing crisis stands out GUEST: Geri Mayer-Judson, Show Contributor Political Update in BC GUEST: MLA, John Rustad. Conservative Party of B.C The RCMP are out of Surrey GUEST: Public Safety and Solicitor General, Honourable Mike Farnworth The Future of Policing in Surrey GUEST: Surrey Mayor, Brenda Locke WestJet wants you to travel without luggage GUEST: Claire Newell, Owner of Travel Best Bets Learn more about your ad choices. Visit megaphone.fm/adchoices
GUEST: Andy Baryer, Tech and Digital Lifestyle Expert at http://HandyAndyMedia.com Learn more about your ad choices. Visit megaphone.fm/adchoices
(00:00) Intro(01:25) Parker's Early Life and Education(02:08) Parker's Experience at Harvard and Early Career(05:21) Parker's Journey to Entrepreneurship(08:27) The Founding of Sigfig and Challenges Faced(10:15) The Birth of Zenefits and its Rapid Growth(13:13) The Downfall of Zenefits and Lessons Learned(19:12) Parker's Perspective on Media Narratives and VC Involvement(35:48) The Power of Investors and Branding(37:22) The Influence of Media on Investment Success(38:42) The Role of Venture Capitalists and Founders(39:39) The Impact of Social Media on Business(40:48) The Rise of Andreessen Horowitz(41:18) Introducing Rippling: A New Approach to Business Software(41:32) The Power of Employee Data in Business Software(49:47) The Advantages of Compound Companies(56:13) The Role of Founders in Business Units(01:09:20) The State of San Francisco and the Tech Industry Produced: Rashad Assir & Leah ClapperMixed and edited: Justin HrabovskyExecutive Producer: Josh Machiz
Jennifer Mitchell is a Partner and the Head of Privacy Governance and Technology Transactions at Baker Hostetler, a law firm specializing in digital risk advisory and cybersecurity, blockchain and digital assets, financial services, and more. Jennifer's law career spans over 15 years with legal, compliance, and operations expertise. At Baker Hostetler, Jennifer provides business solutions to uphold evolving US state privacy laws in compliance with the General Data Protection Regulation, HIPAA, and California Consumer Privacy Act. In this episode… The amended California Consumer Privacy Act defines employees as consumers. So what does that mean for employee privacy rights? The CCPA affects employee rights by requiring employers to implement security measures to protect employees' personal information. These measures include implementing data security policies and procedures, conducting regular security audits, and training employees on data security best practices. Privacy lawyer Jennifer Mitchell explains that CCPA gives workers the right to request their employers disclose the personal information employers have collected about them. This gives employees the freedom to either opt out of selling their data or have their information deleted from their employer's records. Additionally, CCPA prohibits companies from discriminating against employees who request their rights. Join Jodi and Justin Daniels in today's episode of the She Said Privacy/He Said Security Podcast, where they welcome Jennifer Mitchell, Partner at Baker Hostetler, to discuss employee privacy under the California Consumer Privacy Act. Jennifer discusses the difference between “right to know” and “right to delete,” opportunities for employee privacy rights to build relationships between companies and employees, and how company employee monitoring may potentially violate employee privacy rights.
Cyber attack hits Philadelphia Inquirer Transportation Department cyber breach exposes federal employee data 3 million data breach notices being sent to SchoolDude users Thanks to today's episode sponsor, Hunters Relying on a SIEM in 2023 is like living in a college dorm room, post-graduation - you're operating in an environment you've out-grown. The Hunters SOC Platform is purpose built to help your Security Operations mature to the level you need to be at. ChargePoint, the world's largest network of electric vehicle charging stations, uses Hunters SOC Platform to leverage its out-of-the-box detection content to more efficiently respond to new threats and vulnerabilities. It's time to Move Beyond SIEM. Visit Hunters.security to learn more and let them know you heard about Hunters on the CISO Series. For the stories behind the headlines, visit CISOseries.com.
In this episode, you'll learn about employee data, monitoring and privacy, including:-When a subject access request is considered excessiveThe biggest pitfall employers fall into when capturing dataWhether an employer needs consent to use work monitoring software? Daniel discusses the topic with Jeremy Scott-Joynt from Outer Temple Chambers.This podcast is supported by rradar and by Breedon Consulting and by the HR Inner Circle (the UK's leading community for smart, ambitious HR Professionals).Platinum Policy Package 2023 - up-to-date HR Policies from a practising Employment Law Barrister that you can rely on to be concise, easy to follow and legally compliant http://www.policies2023.com
We all have a tendency at times to “shoot from the hip”, “trust our gut” or use dogma to make important decisions. However, when it comes to business decisions, this can come back to bite us if we're not careful. That is why we strive to always back up our decisions with data. When understood and used correctly, employee data can be one of the most useful assets in gleaning insights about our organizations. Spend an hour with Christian Nielson and Matt Wride learning how to help your organization make data-driven decisions about its most valuable resource, its people.
After a surprise in her college admissions process, Kate started college thinking she wanted to be a psychology major. After realizing her interests were better aligned with Political Science, Kate found herself on a path in local government, which often presented her with opportunities to learn new skills and take her down new career path possibilities. We talk about the nerves involved with leaving home to go far away to college, working and interning for politicians, graduate work in Urban Planning, how local governments are organized and how they can use data to better our communities, and why Kate decided to leave her long-term city position to venture out on her own with her business partner. You can follow the work Kate is doing at https://www.porchlightinsights.com/.
Paul Guerra, CEO of the Victorian Chamber of Commerce and Industry, said the increases were positive.See omnystudio.com/listener for privacy information.
Summary:Dr. Adam McKinnon is the People Data and Analytics Lead at Reece Group in Australia. Over the course of his career, he's focused on driving individual, team, and organizational performance through the development and implementation of tailored analytics frameworks and methodologies. Martha Curioni is the Associate Director of HR at IQVIA in Italy. She leverages her technical skills and expertise to help businesses solve their problems using data analysis. In this episode, Adam and Martha talk about the data analysis model presented in the article they co-wrote entitled Automated Assessment of Employee Data Quality using Machine Learning. Chapters:[0:00 - 6:07] IntroductionWelcome, Adam and Martha!Today's Topic: Automated Assessment of Employe Data Quality using Machine Learning[6:08 - 15:04] What motivated you to start your project?“Necessity and curiosity”Driving the conversation about data quality[15:05 - 27:42] What did you learn from the process?Using the best tool for the jobKnowing how to best present your findings to those who haven't lived through the project[27:43 - 34:31] How do we realistically start using this new data quality model?Real world examples of this model being usedStarting with simple checks before using the model[34:32 - 38:08] Final Thoughts & ClosingCuriosity is keyThanks for listening!Quotes:“Machine learning is this great opportunity to synthesize this massive complexity and distill it to a form that becomes usable, but [machine learning] also elevates the level of work that our HR colleagues can perform.”“The model really is meant to catch . . . the combination of variables that make [your data] inaccurate. And so that's where the model comes in—[it's] able to raise that level of sophistication.”Resources:Article: Automated Assessment of Employee Data Quality using Machine LearningContact:Adam's LinkedInMartha's LinkedInDavid's LinkedInProduction by Affogato MediaPodcast Manger: Karissa Harris
American Airlines says hackers obtained some customer and employee data; The iPhone 14 Pro isn't as easy to repair as the other new models
American Airlines says hackers obtained some customer and employee data; The iPhone 14 Pro isn't as easy to repair as the other new models
Directionally Correct, A People Analytics Podcast with Cole & Scott
Role of Virtue in People Analytics Article: https://medium.com/@cole.napper/the-role-of-virtue-in-people-analytics-de959fa27f72
BRN Weekly | Giving Kids the “Get up and Go” lifestyle , Balancing employee data sharing with privacy, The State of the Fiduciary in 2022 and Staying in Control of Your Career at 50+ (or at any age) | Tamara Conan, Elizabeth Goldberg and Kevin Walsh, John Faustino and Cynthia Dash and Kerry Hannon | www.broadcastretirementnetwork.com
BRN AM | Legal considerations for fiduciaries when sharing employee data for benefit plans | Elizabeth Goldberg, Morgan Lewis & Kevin Walsh, Groom Law Group | www.broadcastretirementnetwork.com
Connie & Alex talk about tech news stories you might have missed, and then Connie interviews serial entrepreneur Parker Conrad, co-founder and CEO of Rippling, an employee data startup that recently closed a round led by Sequoia at a $6.5 billion valuation. Music: 1. "Inspired" by Kevin MacLeod (https://incompetech.filmmusic.io/song/3918-inspired)2. "Blippy Trance" by Kevin MacLeod (https://incompetech.filmmusic.io/song/5759-blippy-trance)3. "Dream Catcher" by Kevin MacLeod (https://incompetech.filmmusic.io/song/4650-dream-catcher)4. "Pamgaea" by Kevin MacLeod (https://incompetech.filmmusic.io/song/4193-pamgaea)5. "EDM Detection Mode" by Kevin MacLeod (https://incompetech.filmmusic.io/song/3687-edm-detection-mode)License: https://filmmusic.io/standard-license
In this HRchat, we talk about using people data for good. Listen as we discuss the responsibilities of companies and employees when it comes to sharing and storing information. Bill's guest is Al Adamsen, founder and CEO of People Analytics & Future of Work, a San Francisco-based events planner and global network advocating the ethical use of people data.He's a globally recognized thought leader, advisor, and educator in the areas of People Analytics, Talent Strategy, Workforce Planning, Diversity, Equity, & Inclusion, Employee Engagement & Well-being, Ethics, Organizational Change, Digital Transformation, and the Future of Work. He's the Founder & CEO of the People Analytics & Future of Work (PAFOW) Community & Conference Series, a global network committed to promoting People Data for Good: the responsible and ethical use of people data, analytics, and artificial intelligence (AI) for the benefit of individuals, teams, groups, organizations, and society at large. Questions Include* What do you mean when you talk about the "ethical use of people data, analytics, and artificial intelligence; for the benefit of individuals, teams, groups, organizations, and society at large"?* There's plenty of tech out there attempting to 'spy' on employees such as accessing their social media accounts and reporting back behaviors incongruous with an employer's brand. Do companies have a right to 'intrude' on an employee's social media accounts if it means they can potentially identify employees with extremist views and other outlooks not in keeping with a company's mission and values? * What about remote monitoring of employee behavior? Where do you stand on the tech that allows companies to monitor employee work behaviors - used on the premise that it's to ensure people are not 'slacking off'? Surely the last 18 months has proven that productivity is more important than hours served? * What happens to employee data when they leave a company? Can employers hold on to, for example, web browsing behavior on company-owned devices or should that information be deleted upon the termination of the employee's contract? We do our best to ensure editorial objectivity. The views and ideas shared by our guests and sponsors are entirely independent of The HR Gazette, HRchat Podcast, and Iceni Media Inc.
In today's episode I breakdown how leaders should be analyzing and unpacking employee data; a way to do so where you can unhinge the MOST useful data! --- Support this podcast: https://anchor.fm/anthony-vaughan7/support
This is your HR News Flash, your briefing on talent management and the world of work from HRCI. Data is one of the most valuable company assets. Failure to effectively protect sensitive employee information puts an organization at risk in the event of a data breach. Here’s how to establish effective employee data protection practices: First, create a data safety committee. Develop a committee that is dedicated to governing all of your organization’s assets. Meet at least once a year to review data practices. They should be able to anticipate changes and their impact on employee data safety. Second, develop data protection policies If employees know exactly how their data will be used and stored, they will be more likely to consent to data collection. Always ask for consent when gathering and storing employee data. Lastly, data safety education. Working toward baseline data proficiency is vital for preventing the misuse of data. Establish concrete policies for requesting and distributing data. Employees at all levels should have enough data proficiency to raise questions and concerns. This concludes your HR News Flash. HRCI prepares HR leaders for the digital age. Thanks for listening. Check back soon for the workplace news you need. Learn more at HRCI.org.
In this episode Rakesh Chopra, Snr Transformation Manager, Allianz Global and Jeff Phipps, General Manager, ADP UK & Ireland, discuss the role of employee data in predicting trends and supporting critical decisions during Covid times and beyond. Guests share their practical insights on transformation progammes and pre-requisites for success in this area. Featured guests: Rakesh Chopra, Snr Transformation Manager, Allianz Global. Jeff Phipps, General Manager, ADP UK & Ireland. Topics covered include: Workforce planning, power of employee data, harvesting analytics from remote working technology, data visualisation, data ethics, organisation design strategies. Copyright@2021 Automatic Data Processing Limited (ADP). All rights reserved. This content may not be distributed, reproduced, modified, sold or used without the written permission of ADP. The information is provided "as is" without any expressed or implied warranty, and is advisory in nature. This content is provided with the understanding that neither the presenters nor the writers are rendering legal advice or other professional services. This material is current as of the date of this episode (8th February 2021).
Robert Meyers is the Channel Solutions Architect for One Identity, a software company that helps organizations establish an identity-centric security strategy. Tom Fox welcomes him to this week’s show to talk about compliance, data privacy, and employee data issues. The Role of One Identity “Most companies forget about employees, and this gets impacted by GDPR,” Robert says. His role at One Identity allows him to explain to companies where they can fit identity protections for employees. He also helps companies with their logging systems to prevent them from sending out sensitive information into their log store. Robert adds that he also works as a consultant for partners and helps with privileged access management. Data Has a Life Cycle “Data itself should have a life cycle,” Robert emphasizes. The concept of never deleting anything and keeping copies of everything is a bad idea. Data discipline and data management governance expects that you remove data at an appropriate time. Robert iterates that data privacy and data protection has to be integrated in operations because if it isn’t, it won’t be dealt with at all. In response to Tom’s question on who owns Compliance, Robert says that it has to be the Chief Operating Officer. What’s Next Tom asks Robert what businesses should expect to happen around data privacy between now and 2023. Robert says that there will be more risk assessment. Most breaches conducted within organizations are internal. He advocates for greater enforcement of laws and regulations as well as more legislation. Resources OneIdentity.com Robert Meyers | Twitter, LinkedIn Texas Tax rate at 80% of 8.25%
Nick Baumeister discusses in this 30 minute German session the advantages, hurdles and perspectives of digitization in HR management with Herbert Lörch. Hosted by Nick Baumeister (Business Development Manager Digital Solutions, Iron Mountain), and Herbert Lörch (RVP DACH, M-Files).
This episode talks about the additional costs a data breach can bring to your organization. The Mayo Clinic suffered a breach at the hands of an internal employee. Now the victims of that breach are suing for damages. Tune in for the details. Be aware, be safe. Become A Patron! Patreon Page *** Support the podcast with a cup of coffee *** - Ko-Fi Security In Five —————— Where you can find Security In Five —————— Security In Five Reddit Channel r/SecurityInFive Binary Blogger Website Security In Five Website Security In Five Podcast Page - Podcast RSS Twitter @securityinfive iTunes, YouTube, TuneIn, iHeartRadio,
Matheson’s Employment Law podcast series in which Bryan Dunne, Head of Employment at Matheson, discusses the latest developments in Irish employment law. The podcasts are a key resource in keeping up to date for HR practitioners, employment lawyers and international employers with employees in Ireland.
Matheson's Employment Law podcast series in which Bryan Dunne, Head of Employment at Matheson, discusses the latest developments in Irish employment law. The podcasts are a key resource in keeping up to date for HR practitioners, employment lawyers and international employers with employees in Ireland.
Tertius Wessels, advocate and legal director of Strata-G Labour Solutions
Employee Cycle: Human Resources (HR) podcast about HR trends, HR tech & HR analytics
Why should you use your HR data for more than just HR? Vanessa Wu, General Counsel at Rippling, discusses why and what it could be used for. What you’ll learn from this episode: How and why is Employee Data more than just HR? How are Privacy and Security different? Should HR data be used to […]
Laura Del Beccaro is the cofounder of Sora. People teams trust Sora to connect HR tools, sync employee data, and automate HR processes.
In episode 180, we hear from Ryan Tahmassebi, a business psychologist and the Director of People Science at Hive - an employee feedback platform and strategic partner. Listen as Ryan shares his insights into using employee data to help drive lasting cultural changes in the workplace.In his role at Hive, Ryan steers thought around people analytics and leads Hive’s team of people scientists, who work alongside businesses to create high-performing cultures characterized by happy, healthy, and thriving employees. Ryan started his career as a Business Psychologist in 2012 after joining Sir Cary Cooper and his team of wellbeing and engagement experts at Robertson Cooper. His experience includes working with leaders and HR pros to develop wellbeing and engagement strategies that are impactful for both the business and employees, as well as designing and delivering a range of projects for organizations such as Nestle, Crossrail, and John Lewis. Ryan has also played a lead role in the growth of ‘Good Day at Work’, a wellbeing network now consisting of over 50,000 members in the UK.
LiveTiles' solutions improve the employee experience with Intelligent workplace technology including Intranets, AI & Employee Chat-bots, Employee Mobile Apps, Employee Data capture and insight tools & many other capabilities designed to simplify the complex within the workplace. In this podcast, the founders talk about how they complement each other, how they raised money by listing early, and how they have sustained growth at over 100% p a. www.livetiles.nyc
Coming up in this week's extended edition of the GDPR Weekly Show: Guidelines on collecting Covid19 employee data as employees return to work after lockdown, Hungarian Government overrules GDPR while state of emergency in place, House of Commons committee finds NHS Covid19 Tracking App not suitable for widespread use, Interview with Hayes Connor, solicitors who specialise in data breach claims, SAP data handling not compliant with statutory requirements, GoDaddy data breach finally admitted after 9 month delay, Tesla cars data breach when customer data not removed from replaced components
Originally, this was going to be a cyber episode, but based on a recent conversation with plaintiff’s attorney Jerry Schlichter and some subsequent litigation, thought it might be good to expand our horizons to include employee data. My guest today, Jenny Eller, Principal and co-head of the Fiduciary Practice at Group Law Group brings her experience and perspective to the conversation. We first dive into the data side of the conversation with some general thoughts on the business practices around data, whether it is a plan asset, and why it could be a hot topic for the foreseeable future. Then we make a soft pivot to cyber risks, share thoughts on where employers might be worrying too much and where maybe they are not worrying enough. Jenny also makes some interesting points on how ERISA doesn’t even contemplate some of the losses we are experiencing in plans today and what plan sponsors can to to protect their plan, participants and themselves. Good stuff! Before we get started, I am so excited to share that with some help, I finally got the website in much better working order. Check it out when you have a chance. For more information about this episode go to www.401kfridays.com/cyber2020, to see prior episodes click on “Podcast Episodes” on the top and if for any reason you are not subscribed you can take care of that while you are there as well. Guest Bio In her practice, Jennifer Eller advises financial institutions on the design and delivery of products and services to the retirement plan marketplace, and advises large corporate and public plan sponsors on all aspects of ERISA fiduciary compliance. Jenny writes and speaks frequently on fiduciary issues, appearing at conferences held by the Fiduciary Risk Management Association, the Practising Law Institute, and the ALI CLE among others. Jenny is co-head of Groom’s Fiduciary Practice Group. In her role as practice group co-head, Jenny is responsible for ensuring that the strategic direction and new initiatives of the Fiduciary Group position Groom to serve the needs of its financial, corporate, and public plan clients. 401(k) Fridays Podcast Overview Struggling with a fiduciary issue, looking for strategies to improve employee retirement outcomes or curious about the impact of current events on your retirement plan? We've had conversations with retirement industry leaders to address these and other relevant topics! You can easily explore over 175 prior on-demand audio interviews here. Don't forget to subscribe as we release a new episode each Friday!
Coming up in this week's episode of the GDPR Weekly Show:- 1&1 Fine for Data Security Failure at Call Centre, Facebook Breach of Employee DATA, What Becomes of the EU-US Privacy Shield after Brexit, Third Party Notification of Data Breaches - How Would You Respond? France Considers Criminal Offences for some GDPR Failures, German ICO Suggests Changes to GDPR, GDPR and Corporate Christmas Cards
As we wrote about on the Ad Law Access blog (link below), the California legislature voted to send five amendments to the CCPA to the California governor’s desk. The amendments include a one-year exemption for access and deletion rights to employee data and B2B communications; a provision exempting online-only businesses from operating a toll-free number to accept consumer requests; and a new mandate for data brokers to register with the Attorney General’s office. Governor Gavin Newsom has until October 13, 2019 to act on the legislation. The California legislative session ended on Friday, and no additional CCPA amendments are expected before the law comes into effect on January 1, 2020. On this podcast, Alex Schneider discusses the amendments to the CCPA that had been pending in the California legislature and what's next. See our blog Ad Law Access (https://www.adlawaccess.com/2019/09/articles/ccpa-update-legislature-amends-the-ccpa-to-exclude-employee-data-b2b-communications-for-one-year/) for additional information on these and other privacy and advertising law topics. For additional information on the CCPA and other privacy matters, visit Kelley Drye's Advertising and Privacy Law Resource center https://podcasts.apple.com/us/podcast/making-it-in-usa-when-product-origin-origin-marketing/id1457734764?i=1000441587438
Gen Desktop Payroll software is an all-in-one key for all human resource managers as it not only executes the attendance and payroll marking tasks but also preserves & maintains a complete database of employees along with their attendance in an ultra-secure way. Secure employees data by Gen Desktop Payroll software any time, anywhere access the facility via online payroll synced which can be signed by the employee with a specific login password allotted to each one of them. Gen Online Payroll software as SaaS (software as a service) carries the same features, functionalities and credibility as desktop software does.
Coming up in this week's episode of the GDPR Weekly Show: HMRC Voice Recognition Data Breach Update, UK Home Office and ICO Clash Over Facial Recognition, SNP Euro Election Data Breach, DVLA May Find 2nd Class Post is More Expensive, Turkish ICO Fines Facebook for Data Breach, Uber Employee Data Requests Could End In Court Action
Sara Jodka is an attorney for Columbus-based Dickinson Wright. Her practice covers boths data privacy as well as employee law. She's in a perfect position to help US companies in understanding how the EU General Data Protection Regulation (GDPR) handles HR data. In the second part of our interview, Sara will talk about the relationship between HR data and Data Protection Impact Assessments (DPIAs). Most companies will likely have to take the extra step and perform these DPIAs but there are specific triggers that Sara will delve into. Transcript Welcome, Sara. Sara Jodka: Thank you for having me. IOS: I wanted to get into an article that you had posted on your law firm's blog. It points out an interesting subcategory of GDPR personal data which doesn't get a lot of attention, and that is employee HR records. You know, of course it's going to include ethnic, payroll, 401(k), and other information. So can you tell us, at a high level, how the GDPR treats employee data held by companies? Employee Data Covered By the GDPR SJ: Whenever we look at GDPR, there are 99 articles, and they're very broad. There's not a lot of detail on the GDPR regulations themselves. In fact, we only have one that actually carves employment data out, and that's Article 88 — there's one in and of itself. Whenever we're looking at it, none of the articles say that all of these people have these rights. All these individuals have rights! None of them say, "Well, these don't apply in an employment situation." So we don't have any exclusions! We're led to "Yes, they do apply." And so we've been waiting on, and we have been working with guidances that we're receiving, you know, from the ICO, with respect to …. consent obligation, notice obligation, portability requirements, and any employee context. Because it is going to be a different type of relationship than the consumer relationship! IOS: It's kind of interesting that people, I think, or businesses, probably are not aware of this ... except those who are in the HR business. So I think there's an interesting group of US companies that would find themselves under these GDPR rules that probably would not have initially thought they were in this category because they don't collect consumer data. I'm thinking of law firms, investment banking, engineering, professional companies. US Professional Service Companies Beware! SJ: I think that's a very good point! In fact, that's where a lot of my work is actually coming from. A lot of the GDPR compliance is coming from EU firms that specialize with EU privacy. But a lot of U.S. companies didn't realize that this is going to cover their employment aspects that they had with EU employees that are in the EU! They thought, "Well, because we don't actually have a physical location EU, it doesn't actually cover us." That's not actually at all true. The GDPR covers people that are working in the EU, people who reside in the EU, so to the extent that U.S. company has employees that are working in the EU it is going to cover that type of employee data. And there's no exception in the GDPR around it. So it's going to include those employees. IOS: So I hadn't even thought about that. So their records would be covered under the GDPR? SJ: Yeah, the one thing about the definition of a data subject under the GDPR is it doesn't identify that it has to be an EU resident or it has to be an EU citizen. It's just someone in the EU. When you're there, you have these certain rights that are guaranteed. And that will cover employees that are working for U.S. companies but they're working in the EU. IOS: Right. And I'm thinking perhaps of a U.S. citizens who come there for some assignment, and maybe working out of the office, they would be covered under these rules. SJ: And that's definitely a possibility, and that's one thing that we've been looking for. We've been looking for looking for guidance from the ICO to determine … the scope of what this is going to look not only in an employment situation, but we're dealing with an immigration situation, somebody on a work visa, and also in the context of schools as we are having, you know, different students coming over to the United States or going abroad. And what protection then the GDPR applies to those kind of in-transition relationships, those employees or students. With a lot of my clients, we are trying to err on the side of caution and so do things ahead of time, rather than beg forgiveness if the authorities come knocking at our door. GDPR's Legitimate Interest Exception is Tricky IOS: I agree that's probably a better policy, and that's something we recommend in dealing with any of these compliance standards. In that article, you mentioned that the processing of HR records has additional protections under the GDPR … An employee has to give explicit or consent freely and not as part of an employer-employee contract. [caption id="attachment_10803" align="alignnone" width="800"] GDPR's Article 6 says there are only six lawful ways to process data. If you don't obtain freely given consent, then it gets tricky.[/caption] Can you explain this? And then, what does an employer have to do to process employee data especially HR data? SJ: Well, when we're looking at the reasons that we're allowed to process data, we can do it by consent, and we can also do it if we have a lawful basis. A number of the lawful bases are going to apply in the employer context. One of those is if there is going to be an agreement. You know, in order to comply with the terms of a contract, like a collective bargaining agreement or like an employment agreement. So hire/fire payroll data would be covered under that, also if there is … a vital interest of an employee. There's speculation that that exception might actually be, or that legitimate basis might be used to obtain vital information regarding, like, emergency contact information of employees. And there's also one of the other lawful basis is if the employer has a greater, you know, interest in the data that doesn't outweigh the right of the data subject, the employee. The issue though is most ... when we talk about is consumer data, and we're looking a lot at consent and what actually consent looks like in terms of the express consent, you know, having them, you know, check the box or whatever. In an employee situation, the [UK’s] ICO has come out with guidance with respect to this. And they have expressly said in an employee-employer relationship, there is an inherent imbalance of bargaining power, meaning an employee can never really consent to giving up their information because they have no bargaining power. They either turn it over, or they're not employed. The employer is left to rely only on the other lawful basis to process data, excluding consent, so the contractor allowance and some of the others. But the issue I have with that is, I don't think that that's going to cover all the data that we actually collect on an employee, especially employees who are operating outside the scope of a collective bargaining agreement. In a context of, say, an at-will employee where there is that ... where that contract exception doesn't actually apply. I think there will be a lot of collection of data that doesn't actually fall under that. It may fall into the legitimate interest, if the employer has the forethought to actually do what's required, which is to actually document the process of weighing the employer's interest against the interest of the employee, and making sure that that is a documented process. [ Read the UK's ICO guidelines on the process of working out legitimate interest.] [caption id="attachment_10804" align="alignnone" width="800"] When employers claim a legitimate interest exception to getting employee consent, they have more work to do. [Source: UK ICO][/caption]But also what comes with that is the notice requirement, and the notice requirement is something that can be waived. So employers, if they are doing that, are going to have to — and this is basically going to cover every single employer — they're going to have to give their employees notice of the data that they are collecting on them, at a minimum. IOS: At a minimum. I think to summarize what you're saying is it's just so tricky or difficult to get what they call freely given consent, that most employers will rely on legitimate interest. Triggers for Data Protection Impact Assessments (DPIAs) IOS: In the second part of this interview, we joined Sara Jodka as she explains what triggers a data protection impact assessment, or DPIA when processing employee data. SJ: I think that's required when we're doing requirements for sensitive data, and we're talking about sensitive HR data. A DPIA has be performed when two of the following exist, and there's like nine things that have to be there in order for a DPIA to have to be done. But you bring up a great point because the information that an employer is going to have is going to necessarily trigger the DPIA. [See these Working Party 29 guidelines for the nine criteria that Sara refers to.] The DPIA isn't triggered by us doing the legitimate basis ... and having to document that process. It's actually triggered because we process sensitive data. You know, their trade union organization, affiliation, their religious data, their ethnicity. We have sensitive information, which is one of the nine things that can trigger, and all you need is two to require a DPIA. Another one that employers always get is they process data of a vulnerable data subject. A vulnerable data subject includes employees. IOS: Okay. Right. SJ: I can't imagine a situation where an employer wouldn’t have to do a DPIA. The DPIA is different than the legitimate interest outweighing [employee rights] documentation that has to be done. They're two different things. IOS: So, they will have to do the DPIAs? And what would that involve? SJ: Well, it's one thing that's required for high-risk data processing and that, as we just discussed, includes the data that employer has. Essentially what a DPIA is, it's a process that is designed to describe what processing the employer has, assess the necessity on proportionality to help manage the risk to the rights and the freedoms of the national persons resulting from the processing of personal data by assessing and determining the measures to address the data and the protections around it. It's a living document, so one thing to keep in mind about DPIA is they're never done. They are going to be your corporation's living document of the high-risk data you have and what's happening with it to help you create tools for accountability and to comply with the GDPR requirements including, you know, notice to data subject, their rights, and then enforcing those rights. It's basically a tracking document ... of the data, where the data's going, where the data lives, and what happens with the data and then what happens when somebody asks for their data, wants to erase their data, etc. GDPR Surprises for US Companies IOS: Obviously, these are very tricky things and you definitely need an attorney to help you with it. So, can you comment on any other surprises U.S. companies might be facing with GDPR? SJ: I think one of the most interesting points, whenever I was doing my research, to really drill down, from my knowledge level, is you're allowed to process data so long as it's compliant with a law. You know, there's a legal necessity to do it. And a lot of employers, U.S employers specifically, look at this and thought, "Great, that legal requirement takes the load off of me because I need, you know, payroll records to comply with the Fair Labor Standards Act and, you know, state wage laws. I need my immigration information to comply with the immigration control format." You know, they were like, "We have all these U.S. laws of why we have to retain .information and why we have to collect it." Those laws don't count, and I think that's a big shock when I say, well, those laws don't count. We can't rely on U.S. laws to process EU data! We can only rely on EU laws and that's one thing that's brought up and kind of coincides with Article 88, which I think is an interesting thing. If you look at Article 88 when they're talking about employee data, what Article 88 does is it actually allows member states to provide for more specific rules to ensure that the protections and the freedoms of their data are protected. These member states may be adding on more laws and more rights than the GDPR already complies! Another thing is, not only do we have to comply with an EU law, but we also are going to comply with member states, other specific laws that may be more narrow than the GDPR. Employers can't just look at the GDPR, they're going to also have to look at if they know where a specific person is. Whether it's Germany or Poland. They're going to have to look and see what aspects of the GDPR are there and then what additional, more specific laws that member state may have also put into effect. Interviewer: Right! SJ: So, I think that there are two big legal issues hanging out there that U.S. multinational companies... IOS: One thing that comes to my mind is that there are fines involved when not complying to this. And that includes, of course, doing these DPIAs. SJ: The fines are significant. I think that's the easiest way to put it is that the fines are, they're astronomical, I mean, they're not fines that we're used to seeing so there's two levels of fines depending on the violation. And they can be up to a company's 4% of their annual global turnover. Or 20 million Euros. If you'd look at it in U.S. dollar terms, you're looking at, like, $23 million at this point. For some companies that could be, that's a game changer, that's a company shut down. Some companies can withstand that, but some can't. And I think any time you're facing a $23 million penalty, the cost of compliance is probably going to weigh out the potential penalty. Especially because these aren't necessarily one-time penalties and there's nothing that's going to stop the Data Protection Authority from coming back on you and reviewing again and assessing another penalty if you aren't in compliance and you've already been fined once. I think the issue is going to be how far the reach is going to be for U.S. companies. I think for U.S. companies that have, you know, brick and mortar operations in a specific member state, I think enforcement is going to be a lot easier for the DPA. There's going be a greater disadvantage to, actually, enforcement for, you know, U.S. companies that only operate in U.S. soil. Now, if they have employees that are located in the EU, I think that enforcement is going to be a little bit easier, but if they don't and they're merely just, you know, attracting business via their website or whatever to EU, I think enforcement is gonna be a little bit more difficult, so it's going to be interesting to see how enforcement actually plays out. IOS: Yeah, I think you're referring to the territorial scope aspects of the GDPR. Which, yeah, I agree that's kind of interesting. SJ: I guess my parting advice is this isn't something that's easy, it's something that you do need to speak to an attorney. If you think that it may cover you at all, it's at least worth a conversation. And I've had a lot of those conversations that have lasted, you know, a half an hour, and we've been very easily able to determine that GDPR is not going to cover the U.S. entity. And we don't have to worry about it. And some we've been able to identify that the GDPR is going to touch very slightly and we're taking eight steps, you know, with the website and, you know, with, you know, on site hard copy documents to make sure that proper consent and notice is given in those documents. So, sometimes it's not going be the earth-shattering compliance overhaul of a corporation that you think the GDPR may entail, but it's worth a call with a GDPR attorney to at least find out so that you can at least sleep better at night because this is a significant regulation, it's a significant piece of law, and it is going to touch a lot of U.S. operations. IOS: Right. Well, I want to thank you for talking about this somewhat under-looked area of the GDPR. SJ: Thank you for having me.
Sara Jodka is an attorney for Columbus-based Dickinson Wright. Her practice covers boths data privacy as well as employee law. She's in a perfect position to help US companies in understanding how the EU General Data Protection Regulation (GDPR) handles HR data. In this first part of the interview, we learn from Sara that some US companies will be in for a surprise when they learn that all the GPDR security rules will apply to internal employee records. The GPDR's consent requirements, though, are especially tricky for employees. Transcript Welcome, Sara. Sara Jodka: Thank you for having me. IOS: I wanted to get into an article that you had posted on your law firm's blog. It points out an interesting subcategory of GDPR personal data which doesn't get a lot of attention, and that is employee HR records. You know, of course it's going to include ethnic, payroll, 401(k), and other information. So can you tell us, at a high level, how the GDPR treats employee data held by companies? Employee Data Covered By the GDPR SJ: Whenever we look at GDPR, there are 99 articles, and they're very broad. There's not a lot of detail on the GDPR regulations themselves. In fact, we only have one that actually carves employment data out, and that's Article 88 — there's one in and of itself. Whenever we're looking at it, none of the articles say that all of these people have these rights. All these individuals have rights! None of them say, "Well, these don't apply in an employment situation." So we don't have any exclusions! We're led to "Yes, they do apply." And so we've been waiting on, and we have been working with guidances that we're receiving, you know, from the ICO, with respect to …. consent obligation, notice obligation, portability requirements, and any employee context. Because it is going to be a different type of relationship than the consumer relationship! IOS: It's kind of interesting that people, I think, or businesses, probably are not aware of this ... except those who are in the HR business. So I think there's an interesting group of US companies that would find themselves under these GDPR rules that probably would not have initially thought they were in this category because they don't collect consumer data. I'm thinking of law firms, investment banking, engineering, professional companies. US Professional Service Companies Beware! SJ: I think that's a very good point! In fact, that's where a lot of my work is actually coming from. A lot of the GDPR compliance is coming from EU firms that specialize with EU privacy. But a lot of U.S. companies didn't realize that this is going to cover their employment aspects that they had with EU employees that are in the EU! They thought, "Well, because we don't actually have a physical location EU, it doesn't actually cover us." That's not actually at all true. The GDPR covers people that are working in the EU, people who reside in the EU, so to the extent that U.S. company has employees that are working in the EU it is going to cover that type of employee data. And there's no exception in the GDPR around it. So it's going to include those employees. IOS: So I hadn't even thought about that. So their records would be covered under the GDPR? SJ: Yeah, the one thing about the definition of a data subject under the GDPR is it doesn't identify that it has to be an EU resident or it has to be an EU citizen. It's just someone in the EU. When you're there, you have these certain rights that are guaranteed. And that will cover employees that are working for U.S. companies but they're working in the EU. IOS: Right. And I'm thinking perhaps of a U.S. citizens who come there for some assignment, and maybe working out of the office, they would be covered under these rules. SJ: And that's definitely a possibility, and that's one thing that we've been looking for. We've been looking for looking for guidance from the ICO to determine … the scope of what this is going to look not only in an employment situation, but we're dealing with an immigration situation, somebody on a work visa, and also in the context of schools as we are having, you know, different students coming over to the United States or going abroad. And what protection then the GDPR applies to those kind of in-transition relationships, those employees or students. With a lot of my clients, we are trying to err on the side of caution and so do things ahead of time, rather than beg forgiveness if the authorities come knocking at our door. GDPR's Legitimate Interest Exception is Tricky IOS: I agree that's probably a better policy, and that's something we recommend in dealing with any of these compliance standards. In that article, you mentioned that the processing of HR records has additional protections under the GDPR … An employee has to give explicit or consent freely and not as part of an employer-employee contract. [caption id="attachment_10803" align="alignnone" width="800"] GDPR's Article 6 says there are only six lawful ways to process data. If you don't obtain freely given consent, then it gets tricky.[/caption] Can you explain this? And then, what does an employer have to do to process employee data especially HR data? SJ: Well, when we're looking at the reasons that we're allowed to process data, we can do it by consent, and we can also do it if we have a lawful basis. A number of the lawful bases are going to apply in the employer context. One of those is if there is going to be an agreement. You know, in order to comply with the terms of a contract, like a collective bargaining agreement or like an employment agreement. So hire/fire payroll data would be covered under that, also if there is … a vital interest of an employee. There's speculation that that exception might actually be, or that legitimate basis might be used to obtain vital information regarding, like, emergency contact information of employees. And there's also one of the other lawful basis is if the employer has a greater, you know, interest in the data that doesn't outweigh the right of the data subject, the employee. The issue though is most ... when we talk about is consumer data, and we're looking a lot at consent and what actually consent looks like in terms of the express consent, you know, having them, you know, check the box or whatever. In an employee situation, the [UK’s] ICO has come out with guidance with respect to this. And they have expressly said in an employee-employer relationship, there is an inherent imbalance of bargaining power, meaning an employee can never really consent to giving up their information because they have no bargaining power. They either turn it over, or they're not employed. The employer is left to rely only on the other lawful basis to process data, excluding consent, so the contractor allowance and some of the others. But the issue I have with that is, I don't think that that's going to cover all the data that we actually collect on an employee, especially employees who are operating outside the scope of a collective bargaining agreement. In a context of, say, an at-will employee where there is that ... where that contract exception doesn't actually apply. I think there will be a lot of collection of data that doesn't actually fall under that. It may fall into the legitimate interest, if the employer has the forethought to actually do what's required, which is to actually document the process of weighing the employer's interest against the interest of the employee, and making sure that that is a documented process. [ Read the UK's ICO guidelines on the process of working out legitimate interest.] [caption id="attachment_10804" align="alignnone" width="800"] When employers claim a legitimate interest exception to getting employee consent, they have more work to do. [Source: UK ICO][/caption]But also what comes with that is the notice requirement, and the notice requirement is something that can be waived. So employers, if they are doing that, are going to have to — and this is basically going to cover every single employer — they're going to have to give their employees notice of the data that they are collecting on them, at a minimum. IOS: At a minimum. I think to summarize what you're saying is it's just so tricky or difficult to get what they call freely given consent, that most employers will rely on legitimate interest. Triggers for Data Protection Impact Assessments (DPIAs) IOS: In the second part of this interview, we joined Sara Jodka as she explains what triggers a data protection impact assessment, or DPIA when processing employee data. SJ: I think that's required when we're doing requirements for sensitive data, and we're talking about sensitive HR data. A DPIA has be performed when two of the following exist, and there's like nine things that have to be there in order for a DPIA to have to be done. But you bring up a great point because the information that an employer is going to have is going to necessarily trigger the DPIA. [See these Working Party 29 guidelines for the nine criteria that Sara refers to.] The DPIA isn't triggered by us doing the legitimate basis ... and having to document that process. It's actually triggered because we process sensitive data. You know, their trade union organization, affiliation, their religious data, their ethnicity. We have sensitive information, which is one of the nine things that can trigger, and all you need is two to require a DPIA. Another one that employers always get is they process data of a vulnerable data subject. A vulnerable data subject includes employees. IOS: Okay. Right. SJ: I can't imagine a situation where an employer wouldn’t have to do a DPIA. The DPIA is different than the legitimate interest outweighing [employee rights] documentation that has to be done. They're two different things. IOS: So, they will have to do the DPIAs? And what would that involve? SJ: Well, it's one thing that's required for high-risk data processing and that, as we just discussed, includes the data that employer has. Essentially what a DPIA is, it's a process that is designed to describe what processing the employer has, assess the necessity on proportionality to help manage the risk to the rights and the freedoms of the national persons resulting from the processing of personal data by assessing and determining the measures to address the data and the protections around it. It's a living document, so one thing to keep in mind about DPIA is they're never done. They are going to be your corporation's living document of the high-risk data you have and what's happening with it to help you create tools for accountability and to comply with the GDPR requirements including, you know, notice to data subject, their rights, and then enforcing those rights. It's basically a tracking document ... of the data, where the data's going, where the data lives, and what happens with the data and then what happens when somebody asks for their data, wants to erase their data, etc. GDPR Surprises for US Companies IOS: Obviously, these are very tricky things and you definitely need an attorney to help you with it. So, can you comment on any other surprises U.S. companies might be facing with GDPR? SJ: I think one of the most interesting points, whenever I was doing my research, to really drill down, from my knowledge level, is you're allowed to process data so long as it's compliant with a law. You know, there's a legal necessity to do it. And a lot of employers, U.S employers specifically, look at this and thought, "Great, that legal requirement takes the load off of me because I need, you know, payroll records to comply with the Fair Labor Standards Act and, you know, state wage laws. I need my immigration information to comply with the immigration control format." You know, they were like, "We have all these U.S. laws of why we have to retain .information and why we have to collect it." Those laws don't count, and I think that's a big shock when I say, well, those laws don't count. We can't rely on U.S. laws to process EU data! We can only rely on EU laws and that's one thing that's brought up and kind of coincides with Article 88, which I think is an interesting thing. If you look at Article 88 when they're talking about employee data, what Article 88 does is it actually allows member states to provide for more specific rules to ensure that the protections and the freedoms of their data are protected. These member states may be adding on more laws and more rights than the GDPR already complies! Another thing is, not only do we have to comply with an EU law, but we also are going to comply with member states, other specific laws that may be more narrow than the GDPR. Employers can't just look at the GDPR, they're going to also have to look at if they know where a specific person is. Whether it's Germany or Poland. They're going to have to look and see what aspects of the GDPR are there and then what additional, more specific laws that member state may have also put into effect. Interviewer: Right! SJ: So, I think that there are two big legal issues hanging out there that U.S. multinational companies... IOS: One thing that comes to my mind is that there are fines involved when not complying to this. And that includes, of course, doing these DPIAs. SJ: The fines are significant. I think that's the easiest way to put it is that the fines are, they're astronomical, I mean, they're not fines that we're used to seeing so there's two levels of fines depending on the violation. And they can be up to a company's 4% of their annual global turnover. Or 20 million Euros. If you'd look at it in U.S. dollar terms, you're looking at, like, $23 million at this point. For some companies that could be, that's a game changer, that's a company shut down. Some companies can withstand that, but some can't. And I think any time you're facing a $23 million penalty, the cost of compliance is probably going to weigh out the potential penalty. Especially because these aren't necessarily one-time penalties and there's nothing that's going to stop the Data Protection Authority from coming back on you and reviewing again and assessing another penalty if you aren't in compliance and you've already been fined once. I think the issue is going to be how far the reach is going to be for U.S. companies. I think for U.S. companies that have, you know, brick and mortar operations in a specific member state, I think enforcement is going to be a lot easier for the DPA. There's going be a greater disadvantage to, actually, enforcement for, you know, U.S. companies that only operate in U.S. soil. Now, if they have employees that are located in the EU, I think that enforcement is going to be a little bit easier, but if they don't and they're merely just, you know, attracting business via their website or whatever to EU, I think enforcement is gonna be a little bit more difficult, so it's going to be interesting to see how enforcement actually plays out. IOS: Yeah, I think you're referring to the territorial scope aspects of the GDPR. Which, yeah, I agree that's kind of interesting. SJ: I guess my parting advice is this isn't something that's easy, it's something that you do need to speak to an attorney. If you think that it may cover you at all, it's at least worth a conversation. And I've had a lot of those conversations that have lasted, you know, a half an hour, and we've been very easily able to determine that GDPR is not going to cover the U.S. entity. And we don't have to worry about it. And some we've been able to identify that the GDPR is going to touch very slightly and we're taking eight steps, you know, with the website and, you know, with, you know, on site hard copy documents to make sure that proper consent and notice is given in those documents. So, sometimes it's not going be the earth-shattering compliance overhaul of a corporation that you think the GDPR may entail, but it's worth a call with a GDPR attorney to at least find out so that you can at least sleep better at night because this is a significant regulation, it's a significant piece of law, and it is going to touch a lot of U.S. operations. IOS: Right. Well, I want to thank you for talking about this somewhat under-looked area of the GDPR. SJ: Thank you for having me.