The HR Guide to Employee Data Protection

Employee Data Misconceptions

When an employer hires an employee, they have a number of rights on the use of their personal data. More often than not, employers have certain misconceptions about what they can and can’t do with employees’ personal data under the law. Here are the top common misconceptions that an employer may have with regards to protecting their employees’ data.

  1. Employers believe that they have an unrestricted right to monitor their employees for security and productivity reasons. However, most global privacy laws allow monitoring of employees only under certain conditions and as long as such monitoring is not unreasonably intrusive to employees.
  2. For an employer sitting in the US, they believe that laws from other countries do not apply to them. This is incorrect, as laws such as the GDPR may also apply in the US if for example they are processing data belonging to EU residents. Most global privacy laws have extra territorial application. Therefore, it is important for an organization to identify which privacy laws apply to them depending on their employees’ residencies, citizenships, place of work, or any other appropriate factors.
  3. Employers believe that a data breach will result in fines. This can be the case but it depends on the severity of the breach and its impact. Apart from fines, employers might also be asked to provide further mitigation services to employees affected by the breach as well as overhaul or upgrade their security frameworks to ensure that the breach does not take place again.

Global Data Privacy Laws on Employees Data Protection

If we look at any organization, the HR department always has large volumes of personal data and sensitive personal data stored about their former, current and potential employees.

European Union

1. Law regulating applicant and employee personal data?
General Data Protection Regulation (GDPR)

United States of America (California)

1. Law regulating applicant and employee personal data?
California Consumer Privacy Act (CCPA)

  • Filing of a civil action by the Californian Attorney General if it is discovered that the cause of the breach was lack of implementation of reasonable and appropriate security measures to protect the PI of employees.
  • Maximum civil penalties of $7,500 for intentional violations and minimum civil penalties of $2,500 for unintentional violations of the CCPA can be granted by the court;
  • Employees can file private lawsuits for between $100 to $750 damages or for actual damages (whichever are higher) for each incident of breach if it is discovered that the cause of the breach was lack of implementation of reasonable and appropriate security measures to protect the PI of the employees.


1. Law regulating applicant and employee personal data?
Lei Geral de Protecao de Dados (LGPD)

  • The processing period has ended;

New Zealand

1. Law regulating applicant and employee personal data?
New Zealand Privacy Act 2020 (“Privacy Act”).

  • Civil penalty via action taken by the Director of the Human Rights Review Tribunal.
  • Private right of action by aggrieved individual or a representative on behalf of the individual or a class of individuals.


1. Is there a law regulating applicant/employee personal data?
Personal Data Protection Act 2012.

HR Employee Obligation Lifecycle

The HR department of any organization needs to be mindful of their obligations throughout the entire tenure of the employees’ lifecycle, from the moment of recruitment to the end of the employment period. Let’s look at the obligations that the HR needs to be mindful of during the lifecycle of an employee.

  1. The collection of data during the recruitment process should be limited and relevant to the performance of the job which is being applied for.
  2. Application forms should contain authorizations from job applicants if their personal data is collected from third parties such as previous employers or referrals.
  3. Background checks must not be overly intrusive and authorization of the job seeker should be sought before they begin — the results of these checks are highly sensitive information and should thus be protected carefully.
  4. Retention of unsuccessful job applicants’ personal data should be limited — only retain their data to consider them for future job openings if they consent to it — or delete the personal data.
  5. Evaluation of candidates using publicly available data is allowed under some global privacy laws such as the CCPA. However, the requirements may differ from one law to another. For example, the GDPR allows employers to run background checks from publicly available information only if a legal ground is available to process that data. This requires employers to take into account whether the publicly available information such as the social media profile of the applicant is related to business or private purposes, as this can be an important indication for the legal admissibility of the data inspection.
  1. The collection, processing and retention of employees’ personal data should be limited to what is necessary, relevant, and proportionate to any function the employer has in the context of the employment relationship.
  2. An employer should generally avoid relying on employees’ consent for most data processing at work due to the imbalance of power between an employer and employee. Exceptional circumstances where consent can be relied upon may include taking consent from employees for voluntary employee benefit programs as there are no adverse consequences on the employment relationship for refusal. Such consent must be freely given and well documented.
  3. Employers may be able to monitor their employees for productivity, security and enforcement of the company’s policies. However, they are required to inform employees of such monitoring prior to undertaking it and employ adequate safeguards to protect the data collected from the monitoring activity.
  4. Employers must conduct risk-based assessments and adopt measures to mitigate the privacy risks to their employees before they conduct profiling or any other high-risk data processing activity with their employees’ data. High-risk data processing activities may include the collection of medical data for medical insurance, profiling for performance evaluation, or other employment-related decision-making processes.
  5. Employers are required to fulfill employees’ DSR rights within stipulated deadlines. These rights include the right to request access to their personal data, to delete their personal data, or opt-out of certain forms of processing. Generally, access to and amendment of data that would be prejudicial to managing and functioning of the employer or contains third-party information is exempt from employees’ DSR requests.
  6. Employers must ensure that they have appropriate and reasonable security measures to protect their employees’ data. If employees’ data is accessed, acquired or compromised in a security incident, employers must notify the impacted employees and/or regulatory authorities within stipulated time frames as per the applicable privacy law.
  7. Employers must assess the privacy practices of external third parties and vendors they contract with for processing their employees’ data for any reason e.g. HR services, security contracts or medical insurance services, etc. It is best practice to have contractual agreements containing safeguards for the protection of the transferred data.
  8. Employers must regularly update their HR records to reflect accurate and necessary personal information about their employees. Inaccurate, obsolete, or unwanted information should be modified or removed.
  1. Employers must obtain consent from exiting employees if they wish to retain their data for future job roles.
  2. Former employees have rights to access their personal data held by an employer. However, employers are not obliged to keep the personal data of former employees updated and corrected.

How Securiti can Help?

Data is growing at an exponential rate and employers are collecting more and more of their employees’ personal data. In order to stay compliant with privacy laws, organizations need to have a streamlined and automated process through which they can manage their employee data.

  • Securiti’s Data Mapping Solution helps employers conduct effective data mapping that can help them identify the correct legal basis and ensure lawful data processing.
  • Securiti helps employers create privacy notices and incorporate sensitive data intelligence to achieve privacy compliance across all data processing activities and projects.
  • Seucriti’s Data Privacy Impact Assessment solution incorporates AI to enable Assessment Automation to trigger and conduct risk-based assessments.
  • Securiti’s Data Breach Management Solution swiftly identifies compromised data and impacted data subjects in a security incident. It utilises built-in privacy research to help organizations deliver breach notifications within hours of a security incident.
  • Securiti’s Vendor Management Solution allows employers to assess their vendors based on a predefined risk score and also offers a centralized process to assess how compliant the third-party vendors are with applicable privacy regulations.
  • Securiti offers the DSR Automation Solution to help employers honor all rights of their employees and simplify the process of exercising these rights. This process turns manual work into an automated system that will help enterprises efficiently process data subject requests and enable coordination between stakeholders for reviews and approvals.


Manual methods are becoming obsolete and a future without automation looks like a dark one. If employers hope to comply with increasing demands of global privacy regulations, they need to operationalise their processes and move towards automation.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store