GDPR is Not Just About Customers, But Employees Too

Today’s the day we’ve all been waiting for….GDPR Day!

After months of preparation from teams across your organization, the EU mandate is in effect. Many companies are sending out updated privacy policies and finishing up last minute process documents to achieve compliance. So, now what? How can you manage these new policies going forward and how does this all relate your SAP applications? One area that may be overlooked is how GDPR affects employee information, not just customer.

In case you’ve been out of the loop, the General Data Protection Regulation (GDPR) is an EU regulation coming into effect in May 25 (today!), 2018 concerning the protection of EU citizens’ personal and sensitive information. GDPR will have an impact, in some way or another, on any company large enough to have chosen SAP, which touches all aspects of the business. Almost every SAP system includes GDPR’s core element: personal data.

GDPR is more descriptive than prescriptive – that is, it talks in general terms about the rights the regulation provides to EU data subjects, but does not provide a lot of details about technically how those rights should be enforced. A key component is that the data subjects give permission for their data to be used. In most articles discussing this topic the data subjects are assumed to be customers of the enterprise. However there are another group of data subjects; employees of an enterprise, that must be considered. An enterprise has a security requirement (and often a compliance/audit requirement) to monitor the actions of their employees in order to detect accidental or deliberate fraudulent or abusive actions by their employees.

How does the explicit right under GDPR that says that a user can request that information about themself be deleted affect the need of an enterprise to monitor user behavior? This doesn’t mean all users must be automatically deleted at the request of an employee (or else I would transfer $1,000,000 dollars via SAP and then ask for all logs relating to me be deleted in order to cover my tracks).

GDPR is about the right of an individual to personal privacy, there is a big difference between monitoring what an employee does on Facebook, LinkedIn, etc. than what an employee does on an SAP system. A fun read is this article of opinions published by the Article 29 Working Party (WP29). WP29 is an official EU institution who promotes the uniform application of privacy laws in the EU, composed of representatives of each national privacy authority and the EU institutions.

When talking about using monitoring solutions like OSP it states:

“Firstly, employers utilising these products and applications must consider the proportionality of the measures they are implementing, and whether any additional actions can be taken to mitigate or reduce the scale and impact of the data processing. As an example of good practice, this consideration could be undertaken via a Data Protection Impact Assessment (DPIA) prior to the introduction of any monitoring technology. Secondly, employers must implement and communicate acceptable use policies alongside privacy policies, outlining the permissible use of the organisation’s network and equipment, and strictly detailing the processing taking place.”

The same opinions state that an employer cannot ask an employee for consent, because it might not be freely given (i.e. “give me consent to monitor you or you’re fired”) – so it details the three legitimate reasons that an employer can have for monitoring or keeping personal data about an employee:

Performance of a contract (Article 7(b))
Employment relationships are often based on a contract of employment between the employer and the employee. When meeting obligations under this contract, such as paying the employee, the employer is required to process some personal data.

Legal obligations (Article 7(c))
It is quite common that employment law imposes legal obligations on the employer, which necessitate the processing of personal data (e.g. for the purpose of tax calculation and salary administration). Clearly, in such cases, such a law constitutes the legal basis for the data processing.

Legitimate interest (Article 7(f))
If an employer wishes to rely upon the legal ground of Art. 7(f) of the DPD, the purpose of the processing must be legitimate and the chosen method or specific technology with which the processing is to be undertaken must be necessary for the legitimate interest of the employer. The processing must also be proportionate to the business needs, i.e. the purpose, it is meant to address. Data processing at work should be carried out in the least intrusive manner possible and be targeted to the specific area of risk. Additionally, if relying on Art. 7(f), the employee retains the right to object to the processing on compelling legitimate grounds under Art. 14.

To perform User Activity monitoring you need to have informed the user that they will be monitored, and you don’t need consent, but can achieve implied consent by the fact that the employee signed an employee handbook and has agreed to work at the enterprise. 

You need to perform a DPIA to ensure that by collecting the information needed for the legitimate business need you are not collecting personal information that is not needed.

All of the above does not mean that monitoring solutions are automatically exempt from GDPR. How products like the Onapsis Security Platform and other logging/monitoring tools in the enterprise are considered from a GDPR point of view depends on more factors than just how the individual product functions.

Good luck to all those undertaking changes to their business to comply with GDPR. We are here to help you achieve your goals, contact us for any questions regarding your SAP compliance needs