Outside view of RPC's transparent glass building.

Tiers for [GDPR] fears

26 November 2020. Published by Jon Bartley, Partner and Harvey Briggs, Trainee Solicitor

Beware collecting employee data amid lockdowns and changing working patterns

With today's announcement of the new lockdown Tiers, it seems that retail workforces will continue to remain in an unprecedented state of flux. Understandably, HR teams within retail businesses may be reaching out to their staff now more then ever - whether their people are working from home, back to the office or in store, on the road, in production/warehouse environments or required to self-isolate or quarantine.

Aside from the pressing need for HR teams to deal with employees in the context of managing Covid-19 cases, there may now be other kinds of unprecedented data gathering exercises taking place such as checking staff welfare in new ways or monitoring work levels and productivity across the "shifting" workforce. Whilst these may be commendable drivers, businesses should always be mindful of how they are collecting employee data or seeking to monitor their employees in light of data protection principles, rights and obligations under the GDPR.  To take the following recent example, H&M was recently fined around £31m after unknowingly breaching the GDPR by conducting "Welcome Back Talks" with its staff…

It is a powerful reminder to be guided by core GDPR principles when collecting personal data, namely: be transparent, avoid excessive personal data collection and don't keep the data longer than is necessary (bearing in mind data subject access requests) and advance a joined up privacy culture in your organisation.  We discuss these aspects in more detail below.

Case study: H&M

The Hamburg State Commissioner for Data Protection and Freedom of Information (HmbBfDI) announced last month that it had fined the German subsidiary of fashion retailer H&M €35.3 million (approximately £31 million) for the unlawful monitoring of employees in its service centre in Nuremberg. The fine, which amounts to the second largest ever under the GDPR, was imposed despite H&M's cooperation and remediation steps and the significant impact on H&M's revenue from COVID-19, which has seen the company announce closure of 250 of its stores globally. 

Having evaluated over 60GB of company data, the HmbBfDI found that H&M's service centre in Nuremberg had held extensive permanent records of personal information on the private lives of employees since at least 2014. The HmbBfDI noted that even after short absences, team leaders conducted "Welcome Back Talks" during which details including holiday experiences and symptoms and diagnoses of diseases were recorded. Furthermore, the HmbBfDI found that supervisors acquired detailed knowledge about the private lives of their employees through informal corridor talks, which often revealed family issues and religious beliefs. It came to light that the recorded personal information was then used to measure employee performance and to create profiles which would then form a framework on which to base general employment decisions.

In response to the fine, H&M expressly apologised to affected employees and proposed a comprehensive programme for data protection at the Nuremberg service centre, including additional training for managers on data protection and employment law, the introduction of new roles with specific proficiencies in assessing, investigating, and increasing privacy processes, improved data-retention and data-deletion processes, as well as implementing IT systems incorporating increased data protection measures. In addition, H&M implemented monthly data protection status updates, increasingly communicated whistleblower protection and a consistent concept for dealing with data subjects’ rights of access.  Finally, H&M announced that employees that are working or have been working at the Nuremberg service centre for at least one month since the GDPR entered into force will receive compensation. According to the HmbBfDI, the fine issued would have been higher had it not been for such "unprecedented acknowledgement of corporate responsibility following a data protection incident".

Key tips

  • Given the size of the fine issued to H&M, it is crucial that there is an appreciation of the GDPR at all levels of a business in order to avoid similar financial and reputational damage. In the context of employee data, those responsible for managing HR play a particularly important role in overseeing processes and spotting and flagging privacy risks. Those responsible for data protection (e.g. DPOs, Heads of Legal) should also consider whether they have sufficiently advanced the culture of privacy awareness across all functions and locations of the organisation, or whether this awareness remains too siloed within specific teams such as Legal and Risk.  Steps to improve an organisation's privacy culture can include the appointment of trained "Privacy Champions" in core functions and in key locations, who are responsible for identifying and escalating potential data protection risks to a central team.

  • Following the re-opening of non-essential retail and the return of employees from furlough and lockdown, organisations must be careful to avoid excessive data collection in conducting "Welcome Back Talks" and similar engagement with employees. HR should approach with caution questions that may lead to responses including special category data such as data concerning health or data revealing religious or philosophical beliefs. Additionally, HR staff and managers should be trained on what data is recorded from employee meetings, including informal discussions, what captured data is used for, how long that data stored and who has access to it.

  • Managers should be cautious in the way in which they incorporate employee data into their assessment of employee performance and other decisions around employment. With the pandemic-induced shift to working from home, the use of employee monitoring tools should be approached with caution, with transparency being at the heart of all personal data collection processes a business operates.

  • Businesses should take stock and consider their current data protection practices in relation to employee data, implementing more robust data collection and retention processes where necessary. This is particularly critical given that the financial impact of Covid-19 will inevitably result in staff redundancies, particularly in sectors most affected such as retail, as data subject access requests (DSARs) are often submitted by former employees.  Whilst H&M's practices were brought to light by an IT configuration error, the extent of data collection could equally have been identified through a DSAR response.

  • Given the ongoing pandemic, employers will likely be conducting more and more workplace testing and collecting personal data for contact tracing. The ICO has recognised these increasing demands and have issued guidance on how businesses can best deal with these challenges.

  • Finally, alongside employee data, data controllers should be very careful to avoid excessive data collection of retail customers, too. What may be identified by the retailer as a valuable data set could have key compliance implications under GDPR, including satisfying mandatory conditions to ensure the collection and processing of the data is lawful. In building a privacy culture, those running, for example, customer CRM programmes should be looped in with those responsible for data protection (e.g. DPOs, Heads of Legal), so that a joined-up approach to compliance can be taken.