Imagine that you are fired or quit. Left behind is your employment record.
Who owns it? You, or your employer?
For that matter, who owns all your data?
The reality is that you do not own your data today. It is probably controlled by Google, Yahoo, Facebook, Amazon and others.
After all, if you buy a shirt, a toaster, or anything – the next thing you know when you are reading an online publication is that you see an ad for that shirt or toaster.
The only way to end the onslaught is if you took action and opted out. And opted out of everything.
But, when it comes to your employer, you are an “at will” employee. And, chances are, your employer had you sign an employment agreement. In doing so, your employment record belongs to the employer, not you. Your emails at work are theirs, not yours.
Conversely, when you leave a place of employment, the data about the company and the industry – and your communication also belongs to the employer. This makes sense as that data is clearly the employers. But is your performance record the employers, or yours?
The point is that employment, for most, is a one-way street. The employee signs his or her rights away in exchange for compensation.
But this is about to change – in the European Union at least.
A new law will be going into effect in 2018, General Data Protection Regulation (GDPR). In short, the law states that “the protection of natural persons in relation to the processing of personal data is a fundamental right.” And this law applies to all EU citizens even if they are outside the confines of the EU.
It means that online merchants cannot just use personal data to make sales suggestions – unless the person gives consent. So, if you buy a skirt – the merchant can’t take your data and suggest a matching blouse, or deliver your data to an online publication where a related ad pops up – unless you give consent.
Now, many readers outside the EU may ask, “What does this have to do with me?” The answer is probably a lot.
Online companies and others are going to need to comply worldwide. If an EU citizen is conducting business or on vacation outside the EU – in the US for example, the rules will still be enforced.
So, let’s get back to employment, the reason many of us are on LinkedIn.
GDPR will be in full force and probably supersede signed employment agreements. In most employment agreements, the employee was ‘coerced’ into signing the agreement. So, an employer cannot just use your data — your signing of an employee agreement is not consensual.
If an ex-employer were to send any of your employment information anywhere without your agreement, it would be a breach of GDPR.
This extends to recruiters, or head hunters as well. They will not be legally allowed to send your resume and background to companies without your consent.
The fines are severe to companies that violate the use of any of your personal identifiable information.
“Breaches of some provisions by businesses, which law makers have deemed to be most important for data protection, could lead to fines of up to €20 million (Euros) or 4% of global annual turnover (sales) for the preceding financial year, whichever is the greater,” according to Out-Law.com. (For reference, as of this writing one Euro= $1.07).
Breaches can come in various forms. It can be a hack outside the company, or can be perpetrated by company insiders. Think about the data an employer has about an employee. Then think about the human resources and benefits department and the access they have to your personal data.
An example of an inside job was earlier this year. Sage, a global provider of accounting and business software for companies, admitted to a data breach. Between 200 and 300 Sage clients in the U.K. may have been affected. Sage said the breach was caused by someone accessing internal systems with employee credentials — not an external cyber attacker.
In learning about GDPR, I spoke to Peter Lancos, CEO of Exate Technologies. He explained the possible fine that would have faced Sage after GDPR goes into effect (exact date 25th of May 2018).
According to Lancos, “The Regulation states that firms can be fined the greater of EUR 20 million or 4% of Global Turnover, whichever is greater. Turnover is roughly equal to revenue. In the case of Sage, their revenue for 2015 was £1,436 million — 4% of that is £57 million. Converted to US Dollars, at the current exchange rate of $1.25, the total fine would equate to $72 million.”
Lancos also explained that in addition to the 4% of global turnover, a company can be exposed to two other problems: 1) a class action lawsuit whereby anyone who had their data stolen can sue for “distress,” and 2) the regulator can force a company stop processing data until you have the appropriate controls in place. This effectively puts a company out of business.
A key point is that the law is indifferent to whether the data breach occurred because of an internal employee or an outside hacker – the company is still liable.
So, back to your employment record. It is your data, not the employers. An employer providing access to your data will be liable under GDPR.
Further, any online company with your data cannot use your data without your consent. It marks a complete shift in the control of data to the individual, not a company.
For companies, according to Lancos, “The balancing act is to protect data while allowing people to do their jobs. Without stringent controls, an employee, or anyone, has the potential to take a company down under GDPR.”
For you as an employee and an individual – it is “data power to the people.” Bottom line: you own your data.