What employers can learn from H&M’s €35 million employee privacy fine
30 Nov 2020 |
3 minute read
This website will offer limited functionality in this browser. We only support the recent versions of major browsers like Chrome, Firefox, Safari, and Edge.
In the retail sector, customer data quite rightly gets a lot of attention. We talk a lot about audience insights, personalisation, cross-channel, bespoke and experiential retail. All data-driven business strategies bring an element of data-related regulatory risk, and even though some of the concepts are complex and abstract (data ethics, anyone?), we can all generally agree that issues related to customer data and the need to protect it are well publicised.
Thanks to headline-grabbing enforcements (Marriott, BA, Google), the risks relating to consumer data are usually given appropriate airtime at senior management level.
But what about the backbone of a retail organisation, its people? What data risk may exist in your everyday interactions with employees?
The data protection authority in Hamburg (the DPA) last month issued a fine of over €35 million under GDPR to a German subsidiary of H&M for failures relating to the collection and retention of information about employees' private lives.
The issue came to light because of a problem with system access control (mistakenly making information available to a wide audience within the organisation for a few hours), but let's be very clear that this was not a cyber incident or a 'Morrisons' scenario where the retailer suffered due to a rogue actor – this was enforcement resulting in a whopping fine because of unlawful day-to-day business practice.
According to the DPA's press release, since at least 2014, H&M managers at its service centre had been using "Welcome Back Talks" to gather details from staff following any period of leave. This included for example collecting, recording and retaining information about symptoms and diagnoses following even short periods of sick leave, or holiday details following annual leave. The managers also gathered extensive details about family issues and religious beliefs.
This information was recorded in "meticulous detail" and some was made available to up to 50 other managers. The information was used to form detailed profiles of employees which in turn formed the basis of performance reviews and decisions about their employment. The DPA concluded that this "led to a particularly intensive encroachment on employees’ civil rights".
Data protection law is (thankfully) not prescriptive in respect of what information an organisation can collect about its employees. As employers, it is up to you to decide what is appropriate, proportionate and justifiable within the framework of the legislation. H&M clearly misjudged it and overstepped the mark – perhaps failing to ask themselves the difficult questions, or letting local managers implement data collection practices that were not aligned with group policy.
The following key principles and requirements of GDPR are highly relevant here and should be part of a discussion whenever you look at new or increased data collection, whether 'manual' as in H&M's case, or 'digital' such as tracking of time/location:
In an industry as data-heavy as retail, it's easy to get swept up in the exciting and revenue-generating world of consumer data. Let this salutary tale from Hamburg be a lesson in self-reflection for all employers! Find out more about our retail law services.
