How much personal data should organisations be allowed to collect and store?
At what point does data collection become surveillance ? While many popular social media apps have been accused of digital surveillance, companies that collect and shop employee data are not immune to the General Data Protection Regulation ( GDPR ).
precisely recently, H & M was fined $ 41.3 million for illegally collecting mass amounts of personal data about employees – but where precisely did the company go incorrectly ?
Fail #1: Collecting sensitive personal data without a legal basis
According to an investigation conducted by the Hamburg datum protection agency ( DPA ), H & M collected a range of sensible personal data from hundreds of workers employed at a german customer avail center. This admit data about their aesculapian history, family, vacations, and religious beliefs, which the clothing company allegedly used to build detailed profiles of employees and inform performance reviews .
In addition to the intrusive nature of these questions, H & M didn ’ deoxythymidine monophosphate have a legal basis for collecting this data .
Given the risks associated with exposing such sensitive data, the GDPR “ strictly prohibits ” organisations from processing certain categories of data unless they satisfy one of the extra grounds for processing outlined in Article 9 of the legislation .
Fail #2: Poor data security standards
The integral H & M privacy scandal came about due to a datum transgress of the company ’ south database in October 2019. At the time of the breach, the database contained at least five years ’ worth of employee data and could be accessed by 50 early managers throughout the company.
For respective hours, this information was made accessible to the entire company ’ s internal network .
Besides breaching the confidence and privacy of employees who reportedly shared personal information in one-on-one conversations with their supervisors, H & M failed to put in adequate data security measures to ensure entirely authorized parties could access this information .
What can businesses learn from the H&M scandal?
possibly the most important takeout from this latest privacy scandal is the importance of data minimization .
In Article 5 of the GDPR, the jurisprudence states that personal data should be “ adequate, relevant and limit to what is necessary in sexual intercourse to the purposes for which they are processed ” .
That is, your clientele should merely collect as much data about your employees as is necessary and relevant for a given determination. Asking for and recording excessive amounts of personal data on your employees isn ’ t just intrusive – it may be unnecessary and consequently unlawful for you to do so.
As more of the mod work force turns to remote working in the ongoing COVID-19 pandemic, many businesses are increasingly monitor employees via act health check-ins and on-line communications .
To avoid falling afoul of the GDPR, however, businesses must take care to limit how much datum they collect about employees or, at the very least, put in adequate data security measures to protect their information .