On May 25, 2018, the European General Data Protection Regulation (GDPR) comes into effect. According to International Data Corporation, this new legislation represents the biggest change to data protection law in three decades, requiring organizations to comply with both large-scale GDPR standards and country-specific employment regulations. C-Level Executives need to ensure their organizations are prepared for a smooth transition or face severe fines (of up to €20 million or 4% of global annual turnover, i.e. revenue, for the preceding financial year, whichever is greater) for failing to keep personal data secure.
The law replaces an existing Data Protection Directive. GDPR is an effort to unify data protection across all EU member states, which is why it was designed as a regulation rather than a directive. This law will be immediately applicable across all 28 member states without the need for concurrent national legislation. Worth noting is that the GDPR will also apply in the UK since the nation will still be part of the EU when the new regulation takes effect.
For senior leaders, who handle high volumes of personal data, paying attention to the changes brought by GDPR is of critical importance. Under the new rules, personal data includes any information that does or could identify — directly or indirectly — an individual. This includes familiar information such as name and birth date but also extends to IP address and biometric information.
As noted by Personnel Today, GDPR casts a broad net when it comes to coverage — any business that operates in the EU or is processing an individual's personal data collected within the EU. Given the global reach of even small and midsized businesses now powered by cloud computing and mobile devices, this new law will apply broadly since most organizations do business with European partners or customers.
Specifically, the GDPR sets out comprehensive new rules for privacy notices, consent and data breach notifications, among other things. Under current rules, employers must provide staff and applicants with privacy notices. Under GDPR, these notices must specify how long data will be stored, if it will be transferred out-of-the EU and also make it clear that individuals can make both access and deletion requests under certain circumstances.
Data Controllers will be required to notify the relevant data protection authorities within 72 after they have been made aware of a data breach that could potentially cause risk to the rights and freedoms of individuals.
If any organization doesn't comply with GDPR standards, the potential consequence could be a monetary fine of up to 4% of total revenue of a group of companies, which will be set by regulatory bodies. Factors such as the nature of noncompliance, the duration and the level of damage suffered by individuals will affect the outcome. Regulatory authorities can also impose sanctions such as compliance orders or a full stoppage of personnel data processing. What's more, firms may also face private claims for compensation from affected individuals.
The new EU legislation is clear. Data privacy is of paramount concern and businesses that want to operate in any member states must be prepared to comply.
Here are steps to jump-start the process:
- Audit HR processing — How are you handling personal data? Do you hold a registry of applications, processes, and categories of data being processed by your organization?
- Prep for Individual Rights Requests — The GDPR requires individual requests for information/deletion to be addressed and in a maximum of one month. Assess your current processes.
- Implement an HCM solution — You may not have the technical expertise or available IT staff to make necessary changes in the next year. Cloud-based HCM tools can help you meet compliance standards without ignoring current HR needs.
- Update privacy notices — Make sure your privacy notices address all GDPR obligations.
- Evaluate your risk — As noted by Information Age, it's a good idea to assess your risk of data breach and implement necessary safeguards. While the new rules don't demand specific tech solutions to defend personal data, state-of-the-art methods and software are the expectation.
GDPR represents a significant shift in the way personal data is handled, processed and secured. Make sure your organization is ready to meet the challenge.
GDPR represents a significant shift in the way personal data is handled, processed and secured. We invite you to join ADP's data privacy experts for a special webinar to learn more about the impending GDPR legislation and make sure your organization department is ready to face the turbulence ahead: www.adp.com/GDPRwebcast
For more information on GDPR, please see our articles in Charter Magazine.
Stay up-to-date on the latest workforce trends and insights for HR leaders: subscribe to our monthly e-newsletter.
SIGN UP FOR THE SPARK NEWSLETTER