top of page

Understanding the Broad Reaches of GDPR as it applies to Employees and the Workplace

As Data Privacy Regulations such as GDPR expand globally, it will have wide reaching impacts on unintended business systems and functions—even employee recognition programs

The Gong Show was decades ahead of its time. Not only because the mid-‘70s American amateur talent contest was arguably the foundation for more recent megahits and TV phenomena including American Idol and America’s Got Talent, but also because it protected the privacy rights of its employees—namely The Unknown Comic. GDPR states that businesses must secure ‘personal’ employee data including names, photos, email addresses, phone numbers, addresses, and personal identification numbers, as well as IP addresses, biometric data, mobile device identifiers, and other types of data that could potentially be used to identify an individual.

While The Gong Show predated such requirements, they still managed to comply with today’s comprehensive privacy regulations by simply placing a paper bag over the head of their cult-like star, who was later identified as Murray Langston, a Canadian born actor and stand-up comic. And today, some 30+ years later, the idea of nameless, faceless employees in the workplace is less ridiculous than the visual of paper bagged workers with the eye holes cut out, and certainly not for the same comic relief—but it’s just as real. And unfortunately, much more difficult to implement.

GDPR became enforceable on May 25th 2018 and is primarily designed to give complete control to individuals over their data regardless of where it is stored, or how it is processed. This applies to the consumers, clients and employees. It also applies to the safeguards used to secure data, how it is processed, who has access, and when and how data breaches are reported.

For the purpose of this blog, we will focus on GDPR as it applies to the employee relationship and more specifically, the likely evolution of employee rewards and recognition programs. While largely an unintended consequence of GDPR, Employee Reward and Recognition programs need to be considered by business owners both in and outside of Europe. Their primary function is to celebrate and reward achievements, milestones and anniversaries, and to hold the recipients up high within the organization to drive positive reinforcement and improve company culture and productivity. Social recognition is a key component of many programs, and also a facet now directly in the line of fire for GDPR.

Recognition programs are largely software driven platforms. They house data, interact with other HR systems to process data, and promote the accomplishments of individuals and groups of individuals. All of these functions are now under the purvey of GDPR, and require a recognition software platform in compliance with and customizable enough to meet the unique demands of GDPR.

Let’s first review the actual language of GDPR:

Controllers of personal data must put in place appropriate technical and organizational measures to implement the data protection principles. Business processes that handle personal data must be designed and built with consideration of the principles and provide safeguards to protect data (for example, using pseudonymization or full anonymization where appropriate), and use the highest-possible privacy settings by default, so that the datasets are not publicly available without explicit, informed consent, and cannot be used to identify a subject without additional information (which must be stored separately). No personal data may be processed unless this processing is done under a lawful basis specified by the regulation, or unless the data controller or processor has received an unambiguous and individualized affirmation of consent from the data subject. The data subject has the right to revoke this consent at any time.

And the broad requirements of GDPR include:

  • Companies must clearly disclose any data collection, declare the lawful basis and purpose for data processing, and state how long data is being retained and if it is being shared with any third parties.

  • Data subjects have the right to request a copy of the data collected by a processor in a common format, and the right to have their data edited and erased.

  • Businesses whose core activities consist of regular or systematic processing of personal data, are required to employ a data protection officer (DPO), who is responsible for managing compliance with GDPR.

  • Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy.

It is crucial that HR departments understand GDPR and know how it applies to their functions, including rewards and recognition programs. Implementing such programs, managing and maintaining them, will require extra steps including gaining authorization to process an employee’s personal data. And while previously this sort of request could be made as part of the employment contract, the consent process under GDPR means this permission must now be separately requested. Consent must also be given freely, and GDPR notes that if the fulfillment of a contract is conditional on consent, it may be determined that the consent is not valid.

What does this mean for Employee Recognition Programs? 7 things to consider…

  1. Employees must opt into your Recognition Program, and you may want to ask them to re-opt in annually. This opt-in will need to be a stand-alone document, written in clear and concise language, and state the type of data being processed, how it is being processed, who will have access to it, and when it will be removed.

  2. Your recognition software system must allow for data to be forgotten. Individuals have the right to have their personal data erased.

  3. Any social recognition components need to be configurable by region and country as well as by department and even down to the individual level. Social recognition may not be permissible according to GDPR as, by its very nature, it shares identifiable employee data. For example, without specific consent, GDPR would not permit an internal communication celebrating an employee’s birthday, or work anniversary.

  4. Data security must be of the highest priority

  5. Any internal groups, clubs or member collectives will need to be carefully considered as they may disclose sensitive data as defined by GDPR. Defined: data consisting of gender, racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a person's sexual orientation.

  6. Work anniversaries, other milestones and birthday recognitions may be in violation of GDPR without specific opt-in by the employee. Defining who has access to this data will need to be part of the employee consent document.

  7. Determining who has access to any individual’s data, and which systems your recognition software integrates with will also be important and need to be carefully considered and documented. Only employees and systems that need this information to perform vital tasks within the business will be permissible.

In short, not only do you need to partner with a recognition solution that is GDPR compliant, but you will also want a provider who is an expert in data privacy and GDPR. Further, the more customizable the system, to meet your needs globally and your employees’ needs individually, the more likely you are positioning yourself for short-term success as well as long term compliance.

It is important to remember that GDPR doesn’t only apply to companies officed in the European Union (“EU”). If you have customers, clients or employees in Europe, you are also subject to GDPR. Essentially, if you are operating outside the United States, you are likely required to comply with the regulation. Further, the introduction of US based California Consumer Privacy Act (“CCPA”) and the additional expansion of global privacy regulations means—soon—nobody will be immune from similar requirements. And if you get caught violating GDPR, you’ll get more than gonged. Penalties can be €20 million or up to 4% of the annual global revenue. Think about that the next time you are at a Kiss reunion concert and wondering why they put the make-up back on! Privacy is the new fashion and anonymity is a ‘rock star’.

For more information on GDPR, please email


bottom of page