This article was updated on July 23, 2018.
On May 25, 2018, the European General Data Protection Regulation (GDPR) came into effect. According to International Data Corporation, this legislation represented the biggest change to data protection law in three decades, requiring organizations to comply with both large-scale global data protection regulations standards and country-specific employment regulations. C-suite executives need to ensure their organizations are prepared for a smooth transition or face severe fines (of up to €20 million or 4 percent of global annual turnover, i.e. revenue, for the preceding financial year, whichever is greater) for failing to keep personal data secure.
The law replaced a Data Protection Directive. GDPR is an effort to unify data protection across all EU member states, which is why it's designed as a regulation rather than a directive. The law is applicable across all 28 member states without the need for concurrent national legislation.
For senior leaders who handle high volumes of personal data, paying attention to the changes brought by GDPR is of critical importance. Under the rules, personal data includes any information that does or could identify — directly or indirectly — an individual. This includes familiar information such as name and birth date but also extends to IP address and biometric information.
As noted by Personnel Today, GDPR casts a broad net when it comes to coverage — any business that operates in the EU or is processing an individual's personal data collected within the EU. Given the global reach of even small and midsized businesses now powered by cloud computing and mobile devices, this law applies broadly since most organizations do business with European partners or customers.
Specifically, the GDPR sets out comprehensive rules for privacy notices, consent and data breach notifications, among other things. Under GDPR and global data protection regulations, privacy notices must specify how long data will be stored, if it will be transferred out-of-the EU and also make it clear that individuals can make both access and deletion requests under certain circumstances.
Data controllers will be required to notify the relevant data protection authorities within 72 after they have been made aware of a data breach that could potentially cause risk to the rights and freedoms of individuals.
If any organization doesn't comply with GDPR standards, the potential consequence could be a monetary fine of up to 4 percent of total revenue of a group of organizations, which is set by regulatory bodies. Factors such as the nature of noncompliance, the duration and the level of damage suffered by individuals will affect the outcome. Regulatory authorities can also impose sanctions such as compliance orders or a full stoppage of personnel data processing. What's more, organizations may also face private claims for compensation from affected individuals.
The EU legislation is clear. Data privacy is of paramount concern and businesses that want to operate in any member states must comply.
Here are steps to jump-start the process:
- Audit HR processing — How are you handling personal data? Do you hold a registry of applications, processes and categories of data being processed by your organization?
- Prep for Individual Rights Requests — The GDPR requires individual requests for information/deletion to be addressed and in a maximum of one month. Assess your current processes.
- Implement an HCM solution — You may not have the technical expertise or available IT staff to make necessary changes. Cloud-based HCM tools can help you meet compliance standards without ignoring current HR needs.
- Update privacy notices — Make sure your privacy notices address all GDPR obligations.
- Evaluate your risk — As noted by Information Age, it's a good idea to assess your risk of data breach and implement necessary safeguards. While the rules don't demand specific tech solutions to defend personal data, state-of-the-art methods and software are the expectation.
GDPR represents a significant shift in the way personal data is handled, processed and secured. For more information on global data protection regulations, please see our articles in Charter Magazine.