What Does the GDPR Mean for Employee Surveys?

Three Things to Consider When Surveying European Employees

On May 25, 2018, the European Union’s new data privacy and security regulation, the General Data Protection Regulation (GDPR), went into effect. While news of this policy change dominated tech and business headlines for several months prior to its installment, it will take time to fully comprehend its impact on certain industries’ day-to-day operations. With their significant personal data responsibility, professionals in Human Resources cannot wait for the dust to settle before understanding these new rules.

GDPR compliance is not a luxury—it is a must. The new regulations equally apply to any business targeting EU customers, accepting EU currency, or even simply having a website with an EU domain suffix. In fact, Forbes reports that most of the personal data belonging to EU data subjects collected over the Internet is collected by U.S. companies without a physical presence in an EU country.

Even as multinational firms work to comply with GDPR as it relates to commerce and marketing, HR has a responsibility to help the organization understand its effects on internal employee processes. One area of compliance that can easily slip under the radar is the employee survey.

A carefully designed and well-implemented employee survey program is a proven way to help your organization grow and improve through your most important asset: your people. The last thing you want is for your upward momentum to falter on an expensive glitch in GDPR compliance.

As such, HR practitioners surveying employees within the EU should consider these three things at a minimum: Demographics, Consent, and Processors.

Ensure the Demographics Being Collected Have a Legitimate Use

GDPR requires that companies only collect those demographics which have a demonstrably legitimate use for survey reporting. However, assessing legitimacy can be nuanced. The broad definition is anything that can be reasonably justified as helping to identify trends or pressing issues pertinent to company operations or management.

The power of any listening strategy lies in the ability to identify and understand trends. Demographics make this possible, allowing the reviewer to accurately understand the numbers and find groups of people who may share an opinion or perspective. For instance, a relatively small data point may not seem significant until you realize that it represents the entire racial minority of your workforce, or the people who have worked at your company for less than five years. Proper demographics are key to understanding one’s organization, allowing leaders to make better informed decisions on any given issue.

It's not just about the data—it's about what you do with it. Talk to us about how we can help you dig deeper, listen harder, and strategize smarter to create positive change—and improve your company's bottom line as a result.

These demographic cuts allow you to look deeply into the company issues and see how they affect the whole. While standard cuts (such as gender, tenure, age, and biographical information) will come from the company’s HRIS system, it may be desirable to augment this with self-reported data in order to yield insights. Both attributed and self-reported data will need clear governance regarding what information is shared, stored, and used within the analytics engine to ensure individuals’ confidentiality.

But can you use HRIS data, and how does the GDPR affect your ability to collect additional data? The GDPR applies equally to new data collection and existing stored data, requiring a legitimate business purpose for all.

GDPR makes it vital to conduct the employee survey with a legitimate business intent for each piece of data collected. For this reason, it is important that your team is equipped to ensure all survey data aligns with your survey’s purpose. Furthermore, it is advisable to consult with your company’s legal team prior to new data collection to ensure GDPR compliance and help determine if other national or regional regulations are applicable.

Obtain Affirmative Consent and Ensure Proper Management

The cornerstone of GDPR is putting control of information back into the hands of the individual offering it. One of the ways the GDPR enforces this is by requiring affirmative consent before personal information is collected and stored. Minimally, companies administering an employee survey should notify their EU employees about the data being collected and how it will be used.

Consent is particularly important when it comes to demographic data used to inform survey results. Not only do GDPR standards require that the storage and use of this information be reevaluated for its need-based legitimacy, but it may also be required to specifically inform employees about its use. In some cases, this information may be subject to the employee’s request for editing, modification, or even deletion. The guidelines around this caveat are particularly complex—not all data is subject to these requests, but in most cases, GDPR requires demonstrable proof of legitimacy for denying such requests.

Moreover, there will often be a need to collect additional demographics, which are not already stored by the company HRIS, in order to effectively process the survey and analyze the results. Examples here might include sexual orientation or religion—demographics that the company would generally not collect and store in their HRIS system, yet would be crucial in understanding the diverse perspectives within a large and multi-faceted organization. Consent for this kind of information will require an affirmative action (e.g. checking a box to indicate consent) which goes beyond implied consent that may be derived from the participant completing the survey.

The consent issue creates three pressing considerations for survey administrators.

The first issue is knowledge of the region-specific intricacies around consent law in terms of what is required, what is prohibited, and what is admissible with regard to data collection. In all cases, GDPR stipulates that participant consent must be “freely given, specific, informed, and unambiguous” (GDPR, Article 4, Definitions, (11) Consent). For U.S. companies in particular, GDPR may require adjustment to the wording of all EU-directed interactions. Additionally, as the recent passage of new data privacy legislation in California illustrates, managing consent may become more complex at the U.S. state level. Survey administrators must therefore understand the unique regulations that govern those employees being surveyed.

The second issue concerns the need for clear and concise communication around employee consent. Survey participants in the EU must be advised that their data is used only in processing survey results, and whether demographic data collected through the survey is passed back to the company’s HRIS system. Done correctly, this helps to preserve the relationship between the employee and their employer by providing clarification on the purpose, use, and storage of the data before giving consent. Being open about this will not only engender trust, but also encourage a higher rate of consent in the process.

Finally, it is important to obtain counsel to advise on the content of communication. This includes the purpose of the survey data collection as well as its non-mandatory nature of supplying sensitive information. This will ensure that survey participants are fully informed in a manner that complies with the GDPR.

Ensure Data is Managed by a GDPR-Compliant Processor

Many large multi-national companies choose to use a third-party survey administrator to manage the complexity of their organizational surveys. Doing so can reduce the time required to execute the survey and simplify many things, but it will also require data to be shared between companies. According to the GDPR, employees’ personal data may be transferred to a third-party for processing, but all companies involved will be responsible for the safety and security of this information.

Many third-party survey companies use virtual servers on the basis of it being easier to spin up and more cost-effective than the use of physical servers. However, only 1 percent of cloud-based servers are actually GDPR compliant and these servers are routinely accessed by hundreds of unregulated apps. Moreover, not only is the security of this server environment in the control of yet another third-party, the GDPR recognizes each organization in this chain as a potential liability. Fines for data breaches by third-party processors are levied on the data controller (your organization) as well as the processor. For these reasons, it is advisable to work with a single vendor with private data servers and a physical presence in the EU.

Just as storing the data in the EU is essential for GDPR compliance, handling and processing EU employee data outside of the EU can present a breach of GDPR regulations. While the GDPR does allow data to leave the EU, this provision is generally limited to a single data transfer at a point in time; regular, ongoing two-way data transfers are not permitted. For companies with EU-based employees, it is therefore vital to choose a survey administrator with dedicated workforce and infrastructure housed in the EU to guarantee that the data never leaves the EU during the time it is being processed.

One further point of caution here: ask your survey processor if they rely on third-parties for any of the services they render. This can expose areas of potential data breach for which you, as the controller, will be responsible.

Working with an EU-present company brings other advantages besides security and compliance. For example, a European presence means that EU-based companies enjoy prompt service and timely communication due to the geographical proximity of all concerned parties. With dedicated in-country staff, survey projects will be more easily managed along a consistent timeline, with professionals who are accustomed to the local laws and cultural norms.

Ultimately, the GDPR Should Build Trust

Anonymity and confidentiality are key concepts of employee surveys. Anonymity and confidentiality depend on the extent to which data can be linked back to the individual – and clear standards must be agreed to in order to maintain trust throughout the survey process.

As a rule, a confidential survey is one in which the identity of an employee is known to the survey provider, but is not directly shared with the surveying organization. An anonymous survey is one in which the identity of survey participants is not known to anyone.

Trust in the process is crucial to the ongoing success of any survey program; GDPR regulation legislates those practices which can build trust. This trust is often bounded by the degree of perceived anonymity and confidentiality that survey tools provide. This is accomplished by adhering to high standards to assure actual and perceived confidentiality of individuals’ responses. Such practices include:

• Following guidelines for minimum number of responses required to generate data reports
• Controlling access to demographic details to a limited number of people in an organization
• Providing the organization with aggregate results only rather than individual (case-wise) data
• Developing a well-thought-out communication plan
• Providing auto authentication (single sign on) techniques
• Minimizing the number of demographics question employees answer in non-attributed surveys 

Smart organizations will use the GDPR as a starting point to build trust that ultimately enables more conversations between the company and its employees.

A Vendor Who Goes the Extra Mile

The prospect of administering a company-wide employee census survey can be a daunting task, especially for complex and multi-national organizations. As a trusted partner to some of the world’s largest and most complex organizations for over 15 years, Perceptyx is uniquely capable to help such companies listen to their employees and immediately discover insights that enable their long-term success.

In order to better serve clients with a significant European employee contingent, Perceptyx maintains dedicated staff and data server farms in mainland Europe, allowing us to process EU customers’ data within the EU, in full compliance with the GDPR. By locating our staff and servers in mainland EU, we have also preempted possible complications contingent on the future of the UK’s separation from the European Union. The pending changes resulting from Brexit will have no impact on the long-term GDPR compliance of our European clientele.

In addition to offering the GDPR-compliant guarantees listed above, Perceptyx brings an array of benchmark advantages to data collection and processing. Furthermore, our rigorous data aggregation practices provide an added measure of protection for individual confidentiality. While the Perceptyx analytics system is able to account for each individual participant in order to guarantee accurate splits, our reporting protocol ensures that data splits never reach a threshold so low that an individual’s identity can be deduced by the end user. This maintains trust between the organization and its employees and protects individuals’ confidentiality.

Perceptyx’s EU-based staff will work with your company to ensure not only compliance with these new data privacy laws, but communication consistent with the GDPR’s ultimate objective of individual privacy protection. Rather than simply provide a detailed checklist of issues which companies must figure out how to conform to, we offer you a dedicated consulting staff who can advise on legal issues, serve as employee liaison, support best practices, and ensure GDPR compliance every step of the way.