An average person spends eight hours each day in their workplace. When you factor in the commute, the time they spend on chores and hobbies means that they spend more time with their coworkers than with their friends and family. It also means they spend more time in the workplace than at home.
Still, it’s not their home. Coworkers (no matter how great) are not their acquaintances, and their boss is not their dad. Even if you forget about this, HR will, beyond doubt, remind you whenever you step over the line.
Business entities working in European Union are responsible for the data of both their customers and employees. This is regulated under the GDPR (General Data Protection Regulation).
While this is a positive change, every change is difficult. To illustrate the point, here are some regular workplace activities that GDPR forever changed.
1. Consult GDPR guidelines before throwing a surprise party
In the past, it was nothing unusual to dig through your employees’ data to find out when it’s their birthday and prepare them for a surprise party. Today, this is not exactly legal.
If you closely follow GDPR guidelines, you’ll learn that you cannot share one’s birthday without their explicit consent. In other words, you need to consult everyone at the office before sharing this information, especially if you want to create a calendar with everyone’s birthdays. In other words, it’s still legal, but you need to get explicit consent.
It’s also important that you avoid public announcements. You probably never intended to notify the local newspaper, but even making social media posts regarding the party can be problematic. These things are slightly more difficult, but it’s all doable if you read the guidelines closely.
2. Sharing personal photos
The best thing about the internet is that it allows us to share data with people across the globe. A problem lies in the fact that GDPR doesn’t just affect countries within the EU, they also affect parties that deal with companies in the EU.
So, let’s say you have a colleague working remotely from a non-EU country. It’s only legal for you to send them personal data if the EU designates their country as a place with adequate data protection. This is achieved through various certificates and licenses. For instance, the EU-US Privacy Shield will work if they’re from the US.
Once you get home, however, you can safely do it without worrying about GDPR. You see, things that are considered personal or household activities do not fall under the GDPR. The use of work-established communication tools (like collaboration platforms) or company Slack during work hours is something else entirely.
Remember that when sharing things online, you never know who’s watching.
3. Warning catering companies about personal allergies
If you’re ordering food for your team, whether it’s pizza or a catering company, the key thing to remember is that you cannot disclose which of your coworkers have which allergies without their explicit consent.
This creates a bit of an awkward scenario and puts you at an impasse. On the one hand, this is vital information for one’s health and could put people in a life-threatening situation. At the same time, it’s personal data, and, as such, it falls under the GDPR.
Now, if the coworker was to warn you about their allergy and you asked for the ingredients without explaining, you could bypass this absurd rule. However, it’s always easier to ask for consent. No one in their right mind will ever refuse to consent to this.
Once again, we’re not saying you will land in legal trouble even if you avoid this step. We’re just saying that you can and that this is how to do everything by the book.
4. Sending someone else a candidate’s CV
When a potential candidate sends you their CV, you and other people relevant to the hiring process can review it and give your honest opinion. However, if you’re still unsure whether to hire them, you cannot send someone else their CV.
At least, you cannot do this in its current form if you edit the file to be completely anonymized (you hide their info like name, address, phone number, etc.). This is an entirely different story.
This has another perk. You see, omitting some of this information (especially the name and the address) can prevent this party from determining whether the applicant is male or female. If they have a location or name indicating their ethnicity, concealing it can get a less biased opinion. In other words, this helps you diversify your workplace quite drastically.
You cannot forward their CV to another employer even with the best intentions. The key is that you must understand that they’ve trusted you with some of the most personal information about them, and GDPR compels you to act toward it with the utmost respect.
5. No politics in the office
Watercooler chatter is one of the most iconic workplace activities. These conversations range from comic book arguments to pol… well, not anymore. Political opinions are sensitive personal data in the eyes of the GDPR.
Coworkers can still discuss politics, but anyone acting officially should not disclose any related data.
Don’t send emails regarding the upcoming elections, and don’t ask people for their political opinions. If they want to express them publicly, that’s their legal right – just don’t ask them, and you should be fine!
In some less developed countries with a lower democracy index, people leverage their corporate power for political purposes. It’s exactly this kind of corruption that GDPR (by classifying political opinions as sensitive personal data) is trying to eradicate.
6. Calling in sick
While this may sound like a rule leading to much abuse, you don’t have to be specific about the medical condition when calling in sick. All that people at the office need to know is that you’re unwell. Saying that you’re too unwell to come to work is all that an employee is legally obliged to share.
Even this only needs to be conveyed to a select few people.
Chances are that you know who you’re legally obliged to notify. When conveying this information, make sure that the channel is secured. Common advice is to send an email (preferably a company-approved one) directly to the affected party. This way, you’ll also have proof that you’ve sent confirmation.
Now, they have to retain this information for some time, but after a while, they will delete it. Remember, sick leave data is usually not retained indefinitely unless a company policy mandates it. GDPR does not regulate the duration of retention of this data.
7. A new sheriff in town
Since data protection is so incredibly important, it was inevitable that there would be someone at the office taking care of the situation. This is the job of a Data Protection Officer (DPO). Now, as an expert, they have so many responsibilities.
- Their first job is to monitor all the compliances. While this happens automatically, for the most part, they can conduct an occasional audit and ensure that all the practices align with GDPR.
- Whenever personal data needs to be accessed so that the information can be corrected or deleted, it’s the job of a DPO to either approve or reject this request.
- DPO is also in charge of data protection training and awareness. As you can see, GDPR is not only affecting a select few executives. It’s something that every employee should be aware of, especially those who communicate with external entities.
- A business that aims to remain compliant with GDPR needs to connect with various data protection authorities. Well, it’s the job of a DPO to act as a liaison in this scenario.
- In the worst-case data breach scenario, DPO must be actively involved in the company’s response. As a part of this response team, they should do everything in their power to contain the potential data loss.
As you can already tell, this is an incredibly important function in any GDPR-compliant entity. So, it’s one more specialist that an average office worker will have to get accustomed to.
GDPR is a game-changer in the way we see and treat personal data, and this will reflect in your workplace
A modern workplace is a different place than its previous iterations. Sure, some may say it’s colder or less spontaneous, but there’s no reason for it to be that way.
Sure, you cannot just randomly tell everyone when their coworker is celebrating a birthday. However, whether this was ever OK from a moral and ethical standpoint is questionable.
Veto political activity in the workplace is the only way to prevent horrible abuse.
Sure, an employee can abuse the ability to call in sick, but this is a positive change compared to an alternative.
These regulations introduce a more considerate and welcoming workplace for everyone.
Dushyant is an enthusiastic and quick learner in all fields who likes to gain experience, loves to write, and works on his creativity. He loves to explore new things and information and has the potential to spread knowledge across the world. He believes in teamwork and helping others and has a strong belief in learning from our own life experiences and exploring more through our mistakes as everyone has a story to create. His hobbies include sports, drawing, learning new things, and a deep interest in geopolitics.