Edit ModuleShow Tags

Protecting employee data


When is the last time your company reviewed its data protection policies? 

 If your company employs any international employees, it may have obligations under foreign laws to have specific safeguards in place.  Failure to observe a jurisdiction’s data protection laws can result in staff penalties and unwelcome press coverage. 

Although the European Union is leading the way with a proposed comprehensive new data protection law,  other countries from China to the United Kingdom, South Africa, Qatar, Dubai, and several Latin American countries are developing, or have already enacted, their own data protection laws, with many based on the European model. 

The European Union

On May 31, the European Union released proposed regulations to strengthen data protection in the EU, which propose to strengthen the 1995 Data Protection Directive.  Among other recommendations, the Proposal for Regulation of the European Parliament and the Council on the Protection of Individuals with Regard to Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) provides for the right of individuals to be “forgotten” and not be profiled based on their personal data and also governs the transfer of information regarding EU citizens outside of the EU. 

The pending bill also proposed the creation of a data protection authority to assist with enforcement of the new regulations.  Although the regulations have not yet been enacted, it is expected the final version will be ambitious in scope and among the most comprehensive in the world.  It would be prudent for any multinational employer with European operations, customers or employees to consider the proposed regulations when drafting data protection policies.

South Africa, Qatar and Dubai are considering adopting similar measures, using the EU proposal as a template for their own regulations.


An American multinational company made news earlier this year when its offices in The People’s Republic of China were raided and the company was criminally charged for improperly collecting personal data from individuals and selling or disclosing that data to third parties.

 Although there is no single, unified data protection law in the PRC, there are a number of national and provincial laws covering data protection.  In 2008, the Regulation on Employment Service and Management was implemented nationally, and requires employers to keep personal employee data confidential, and specifically requires employers to obtain written consent before disclosing personal data. 

Also on the national level, the Guidelines for Personal Information Protection Within Information System for Public and Commercial Services came into effect February 1, 2013.  Although not law, the Guidelines are expected to be followed by most businesses, including multinational employers. 

The guidelines set out specific requirements for employers regarding employee data collection, use, transfer, retention, and destruction.  Multinational employers should note that many provinces also have implemented or are considering implementing personal data protection regulations.  For example, early in 2013, Jiangsu Province enacted comprehensive data protection regulations, and penalties for violating the regulations are significant.

Steps for an Employer to Take Now

Employers without a data protection policy in place may want to consider developing a policy to protect employee and customer data.  Employers with operations or employees abroad should be mindful of any data protection laws or regulations that may apply in the countries in which they operate, and should stay informed regarding the changing international data protection landscape. 

To that end, many multinational employers have appointed data protection compliance officers to manage policy compliance.  Policies should be drafted broadly to cover not only current employees and customers, but also applicants and former employees and customers.  The policies should specify the types of personal data that will be held, how it will be stored, how and under what circumstances it will be transferred, shared with third parties, and destroyed or deleted. 

At a minimum, the data protection policies should address security measures that will be taken to safeguard personal information.  Employers may also want to consider designing a grievance procedure for employees who feel that their personal data was mishandled or misused, to enable the employer to deal promptly (and internally) with any concerns. 

Finally, employers should remind all employees that they should not expect privacy in their use of company  IT systems, such as email, internet, mobile devices and the telephones, and that routine monitoring may occur, to the extent permitted by national or local law.

Edit Module
Danielle Urban

Danielle S. Urban is a partner in the Denver office of Fisher Phillips, representing employers nationally in labor, employment, civil rights, employee benefits and immigration matters. Contact her at durban@fisherphillips.com or 303.218.3650.

Get more content like this: Subscribe to the magazine | Sign up for our Free e-newsletter

Edit ModuleShow Tags

Archive »Related Articles

Passion Project, Taco Passport, Supports Local Businesses and Raises Funds

The brainchild of Kevin Johns and Ben Raznick, $15 from each of the $20 booklets will go directly to the Food Bank of the Rockies, Lázaro Project and the Rocky Mountain Immigrant Advocacy Network.

How to Plan an Event Like an Expert

The Event Services team at the Denver Center for the Performing Arts gathered the best advice they've learned from hosting hundreds of events throughout the last 20 years, down to the finest details.

The Best Businesses That Get You From A to B

Best of Colorado transportation services include best auto repair, dealership, private transportation, airline and private jet service.
Edit ModuleShow Tags
Edit ModuleEdit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags
Edit ModuleShow Tags Edit ModuleShow Tags