The GDPR gives powers to local data protection authorities to fine organisations who breach the data protection and processing regulations. This month, H&M Germany was fined over €35m by the Hamburg Data Protection Authority (HmbBfDI) in Germany, for a data protection breach that revealed the excessive use of employee data. That adds up to a lot of great value clothing items.
First up, we should note that this incident was in an H&M Service Centre in Nuremberg, and H&M have been quick to say that it is not a company-wide policy. H&M have also stepped in to offer compensation to every employee who worked at the service centre for more than a month since May 2018, bringing the cost of this episode way over €35m.
In October 2019, an error on an internal computer drive made its contents visible to every employee at the Nuremberg Service Centre. This data protection breach showed files and files of personal data for every employee. The data breach was one thing, but the nature of the data itself is also a problem.
The files showed that between 2014 and 2019, managers recorded data about employees and filed it on a drive accessible to other managers at the site. This data was then used to create detailed profiles of the employees and make decisions about their employment.
The personal data in these files was obtained from one-to-one conversations between employees and their managers or team leaders usually at a return to work interview following a long illness, or a weekly meeting, but also including chats at the water cooler. The information recorded included holiday experiences, religious observances, family issues, illness and more.
Perhaps unsurprisingly, the HmbBfDI ruled that this collection of details and record of activities encroached on employees’ civil rights. This put them in contravention of the laws about data privacy and processing.
Article 6 of the GDPR states that any processing of personal data should be lawful and fair. Individuals (in this case the employees) should know what data is collected, used, consulted, or processed and to what extent it will be processed. The specific purposes that this data will be processed for should be made clear at the time of collection.
Recital 39 further states that the personal data collected should also be adequate, relevant and limited to what is necessary for the specific purpose for which they are processed. Personal data should only be processed if there is no other way to fulfill the purpose it is processed for.
Personal data should also be processed in a way that ensures appropriate security and confidentiality, including preventing unauthorised access to the data itself.
Breaching data protection regulations could have major implications for your organisation’s finances. Failure to comply with the GDPR can lead to fines of up to 4% of worldwide annual revenue. Note we say revenue, not profit, so if your profit margins are tight, that chunk of money can leave a serious hole in your finances. Fines may not have reached 4% of revenue yet, but they have been serious amounts of money.
According to the GDPR, employee data protection is just as important for every organisation as user data protection. And just like with user data protection, it is important to have the policies and processes in place to secure employee privacy. On the plus side, it will cost less than a potential fine.
Get your data protection programme in place, and make sure your organisation is GDPR compliant now.