The General Data Protection Regulation (GDPR) is not just for large companies: as soon as an organisation processes people's data — customers, suppliers and above all employees — it has obligations. Here are the basic good practices to apply at the office.
Three core principles
According to the Belgian Data Protection Authority, any processing of staff data must respect:
- purpose: data is collected for specified, explicit and legitimate purposes;
- proportionality: only the data strictly necessary for that purpose is processed;
- transparency: employees are told that their data is being processed and why, from the moment it is collected.
In practice, monitoring the network may aim to prevent abuse or protect confidential company data; geolocation may serve safety or logistics; a camera may protect company property. In every case, the purpose must be defined and communicated. The employer is in principle entitled to process employee data in order to exercise its labour-law rights and obligations, but it may not misuse that authority to the detriment of the employee's privacy.
Inform and document
As the data controller, the employer must communicate certain information, in principle when the contract is signed: the retention period (social documents are, as a rule, kept for five years after the contract ends), the right to withdraw consent, and the right to lodge a complaint with the authority. The employer must also keep a record of processing activities, which replaces the old obligation to declare. This applies to companies with more than 250 employees, but also to smaller ones whenever processing is not occasional: because HR management is ongoing, the authority recommends that every company keep such a record.
Sensitive data and monitoring
Processing sensitive data (health, for example) is in principle prohibited, except where the law provides an exception or with explicit consent. Any monitoring (cameras, email checks, geolocation) must remain proportionate and transparent: employees must be informed in advance.
Security underpins GDPR
Protecting data also means securing it. ENISA notes that SMEs are frequently hit by ransomware, stolen laptops and phishing. Basic habits — restricted access, strong passwords and two-factor authentication, backups and updates — are therefore inseparable from GDPR compliance.