What employers can learn from H&M’s €35 million employee privacy fine
In the retail sector, customer data quite rightly gets a lot of attention. We talk a lot about audience insights, personalisation, cross-channel, bespoke and experiential retail. All data-driven business strategies bring an element of data-related regulatory risk, and even though some of the concepts are complex and abstract (data ethics, anyone?), we can all generally agree that issues related to customer data and the need to protect it are well publicised.
Thanks to headline-grabbing enforcements (Marriott, BA, Google), the risks relating to consumer data are usually given appropriate airtime at senior management level.
But what about the backbone of a retail organisation, its people? What data risk may exist in your everyday interactions with employees?
The data protection authority in Hamburg (the DPA) last month issued a fine of over €35 million under GDPR to a German subsidiary of H&M for failures relating to the collection and retention of information about employees' private lives.
The issue came to light because of a problem with system access control (mistakenly making information available to a wide audience within the organisation for a few hours), but let's be very clear that this was not a cyber incident or a 'Morrisons' scenario where the retailer suffered due to a rogue actor – this was enforcement resulting in a whopping fine because of unlawful day-to-day business practice.
According to the DPA's press release, since at least 2014, H&M managers at its service centre had been using "Welcome Back Talks" to gather details from staff following any period of leave. This included for example collecting, recording and retaining information about symptoms and diagnoses following even short periods of sick leave, or holiday details following annual leave. The managers also gathered extensive details about family issues and religious beliefs.
This information was recorded in "meticulous detail" and some was made available to up to 50 other managers. The information was used to form detailed profiles of employees which in turn formed the basis of performance reviews and decisions about their employment. The DPA concluded that this "led to a particularly intensive encroachment on employees’ civil rights".
What could H&M have done differently?
Data protection law is (thankfully) not prescriptive in respect of what information an organisation can collect about its employees. As employers, it is up to you to decide what is appropriate, proportionate and justifiable within the framework of the legislation. H&M clearly misjudged it and overstepped the mark – perhaps failing to ask themselves the difficult questions, or letting local managers implement data collection practices that were not aligned with group policy.
The following key principles and requirements of GDPR are highly relevant here and should be part of a discussion whenever you look at new or increased data collection, whether 'manual' as in H&M's case, or 'digital' such as tracking of time/location:
- Data minimisation: this is a principle in its own right – don't collect more than you need (even if it's 'nice to have')
- Necessity: most lawful justifications for the processing of HR data rely to some extent on the concept of necessity (e.g. is the use of the data necessary to perform the employment contract?). Take the objective view here – necessity can be a high threshold.
- The reasonable expectations of your staff: what have you told them in your privacy notices? Is the data collection in some way covert or non-obvious?
- Accountability: if you are operating 'edge cases' or if your practices are (relatively) intrusive, can you justify yourself? Is the higher risk collection/use of data subject to the checks and balances of a robust data protection compliance framework?
In an industry as data-heavy as retail, it's easy to get swept up in the exciting and revenue-generating world of consumer data. Let this salutary tale from Hamburg be a lesson in self-reflection for all employers!