In September of this year, H&M (H&M Hennes & Mauritz Online Shop A.B. & Co KG) received a fine for GDPR violations by The Data Protection Authority of Hamburg (HmbBfDI). The GDPR violation included the excessive monitoring of employees and storing excessive information about their personal lives that was used unfairly to assess performance.
At an eye-watering €35.2million, it is up there as one of the largest fines for GDPR violations to date.
As a small business, your responsibilities towards the GDPR are equal to that of a retail giant like H&M. It’s important to learn lessons from the failings of others to prevent falling foul of the regulation yourself. This GDPR violation shows us that GDPR responsibilities extend much further than the way you process and store your customer Personal Data. All Personal Data relating to an individual should be treated with the right care and due process, whether it is a customer, a prospective customer, or an employee.
Here’s a breakdown of the issues highlighted by the H&M case.
H&M’s GDPR Violation
The problem at H&M was identified in October 2019, when a configuration error led to documents on a shared drive being accessible to the entire Nuremburg service centre for a small period of time which became accessible to the rest of the company. H&M duly reported the Personal Data Breach to the authorities in Hamburg and have cooperated with their investigations. However, the content of the Personal Data involved revealed a serious violation of the GDPR.
Some of the breached documents, which would usually be accessible by around 50 othermanagers, included written records of ‘welcome back talks’ after an employee had been absent due to holiday or sickness to family or religious beliefs. While this may sound like a minor breach, the implications on a personal level are significant.
Naturally, return-to-work interviews include many private details shared in a one-to-one setting; people’s medical conditions, family problems, religious beliefs, and personal commitments such as caring for a sick child or older relative discussed with a certain level of confidentiality. For some people, knowing that all their other colleagues have access to such information would be incredibly distressing.
The Personal Data Breach was not treated as an isolated incident. The Hamburg Data Protection Authorities also investigated the use of this Personal Data. It was discovered that managers were using private personal information to assess people’s performance and also make decisions about their employment. The combination of collecting information about employees’ personal lives and storing it indefinitely led to ‘a particularly intensive encroachment’ of their civil rights, according to HmbBfDI.
Some of the steps taken by The Hamburg Data Protection Authorities were:-
- “Froze” contents of network drive
- Personal Data on network drive to be handed over
- 60 gigbytes or more was evaluated
- Along with review of documented practices and interviews
Wide-Reaching Financial Implications for GDPR Violation
The impact of H&M’s Personal Data Breach highlighted a serious failing that certainly justifies such a large fine from the authorities. This was also reported in the Q3-2020 company report “admits shortcomings at the service centre” with reassure to corrective measures being taken.
But the financial implications go much further than the fine for the GDPR violation.
As well as supporting the investigation into the Personal Data Breach, H&M have taken (expensive) action to make improvements to the Nuremberg service centre. They have made personnel channels at management level, given staff additional training, invested in additional systems and staff to ensure compliance to the GDPR. In addition, they are paying compensation to every employee affected will receive financial compensation.
Lessons to Learn
The Personal Data Breach shows that employees Personal Data is not to be disregarded by having the appropriate controls are in place then the risks can be reduced to:
- Minimise the compensation paid to those impacted.
- Build trust with the employees.
- Where trust is brand value reinforce it.
- Able to rebuild or keep certain information in confidence.
- Improve technical, security and retention controls.
- Inform what personal data is collect under records of processing.
We recommend undertaking an analysis of the personal data you collect about your employees. There are some details that are considered ‘Sensitive’ Personal Data. This Personal Data must be stored securely and only with your employees’ permission.
Be careful where you store employee Personal Data. Physical documents should be locked away and only accessible who need to see it. The same is true of electronic files. Restrict access to folders containing personal information and make use of passwords to protect individual files.
In the UK prior to the GDPR in relation to processing recording Personal Data this was under The Data Protection Act 1998 Part I also refers processing which includes “…recordings..” and the same appears in Article 4 (2) of the GDPR and appropriate consent or other lawfulness.
Be mindful of how you use any Sensitive Personal Data. For example, if an employee disclosed their religion or a medical condition, is it fair to use that information to decide whether they deserve a promotion? (To prevent any ambiguity here, the answer to that question is ‘no.’)
Overall, we recommend only processing employee Personal Data that you absolutely have to keep. Not only will it help you avoid a fine, but it will also protect the rights of your employees. It is also worth checking when dealing with certain HR related Personal Data of additional requirements of the local country data protection laws in the UK the Data Protection Act 2018.
Get Your Free Consultation