On 25 May 2018, the start-up period of the new European privacy legislation (GDPR) and its enforcement takes effect. The new regulation, designed to protect personal information of EU citizens, poses challenges for organisations around the world. With just under a year to go before the deadline, many employers including their Human Resource departments are not fully prepared for the changes and how to deal with them.
Given the large number of employee-related files, documents and personal information that HR departments work with, the impact of GDPR cannot be underestimated. It is crucial that HR teams quickly update themselves on all GDPR obligations so that high fines can be avoided.
Below are eight questions about the GDPR that HR teams should ask themselves.
What is the GDPR?
The GDPR essentially replaces the EU's data protection directive, which was adopted in 1995. Unlike its predecessor, the GDPR is a regulation, meaning it is directly applicable and enforceable in all member states on 25 May 2018. In the Netherlands, the law is called the General Data Protection Regulation, AVG for short.
The new regulation aims to provide EU citizens with a number of benefits. These include easier access to their personal information that a company holds and collects. Plus details on how the company uses their data and for what purpose. It also gives citizens the right to data portability and the right to have their data deleted. In addition, the GDPR gives all EU citizens the right to know when their data has been compromised (hacked or a leak) through a provision that requires companies to notify authorities of personal data breaches within 72 hours.
One major impact that HR is likely to feel very directly is the new consent and access rights included in the GDPR. Organisations must not only be able to prove that they have obtained consent to store and use an individual's data, but also be able to provide electronic copies of private records on request to those who request these details or ask where their data is stored and for what purpose.
What data is GDPR about?
Under the directive, all data that can be used to identify an individual is covered, including but not limited to things like genetic, mental, cultural, economic or social information. This now all falls under the umbrella of personally identifiable information (PII). Even cookies and IP addresses are part of the expanded scope of what needs to be protected.
Who does GDPR affect?
The GDPR legislation is complex and far-reaching. Unlike the old data protection directive, the GDPR applies not only to all companies operating in the current 28 EU member states, but also to all companies that process personal data of EU citizens or process information about EU citizens. Even if a company has only one employee or job applicant in the EU and the company only processes (collects, uses, transmits or electronically stores) personal data of this citizen, GDPR guidelines will apply.
Why is GDPR important for Human Resources?
Non-compliance with the GDPR can lead to very serious financial consequences. Regulators (for example, the Personal Data Authority) have the power to impose fines of up to €20 million or four per cent of a company's total turnover, whichever is greater. That alone should be enough to create an action plan.
But the reality is that GDPR compliance also means that HR departments must be able to reliably track and aggregate the vast amount and variety of employee information they manage, which is often highly confidential. This could be a huge task for many HR departments, especially when personal data is scattered across different systems, network folders, emails and devices. HR teams should be prepared to provide electronic copies of private files on request to those who request further information about their data. This makes finding the right tools to implement GDPR guidelines a strategic necessity.
Are there any benefits of the GDPR?
The GDPR also offers benefits to companies that comply with it. Primarily, the law promises to simplify the rules that companies must now comply with. Instead of different data protection rules per country, the GDPR will be a single law applicable to businesses across the EU. The European Commission estimates it will save companies around €2.3 billion a year by eliminating "current fragmentation and costly administrative burdens".
How can employers prepare?
While the GDPR states in unambiguous terms what kind of protection companies must provide for private data, the law does not specify what technologies or specific processes companies must use to provide that protection. The summary of articles on the GDPR website provides only general guidelines, allowing individual companies to draw up their own GDPR compliance plans. In other words, how an organisation goes about complying with the law and what technology it uses to do so is completely free.
Is there a practical starting point?
Experts agree that effective use of technology is critical for organisations to properly handle all the sensitive EU citizen data they hold. The one category of solutions that many organisations are already using to anticipate the GDPR mandate is a enterprise information management (EIM) system, which can not only automatically identify, classify and manage personal data, but also apply strict controls and security measures to ensure that information does not fall into the wrong hands. For example, HR staff can automatically delete or encrypt certain information, such as personnel data or application forms, after a certain period of time to reduce the risk of a potential breach. M-Files for Human Resource provides organisations with just the right tool to handle personal information in line with GDPR.
Is a data protection officer mandatory?
Article 37 of the GDPR requires organisations to appoint a data protection officer (DPO) if one of the following conditions is met:
- Data processing is carried out by a public authority or body, with the exception of courts acting in their judicial capacity.
- The core activities of the organisation require regular and systematic large-scale monitoring of stakeholders' data.
- The core activities of the organisation consist in the large-scale processing of special categories of data (such as data revealing racial or ethnic origin, religious beliefs, genetic data, health data, etc.). For example, personal data related to criminal convictions and offences.
However, local Member State laws may also require the appointment of a data protection officer in other situations. Organisations should therefore consider appointing a data protection officer on a voluntary basis in some cases. Filling the role of a DPO (Data Protection Officer) is not just a "checkbox" exercise. This person must be knowledgeable about data protection laws and practices and must ensure that the company complies with the GDPR. An existing employee can serve as DPO provided they have the required expertise and the role does not conflict with any other role they perform in the organisation.
Whether seen as a welcome remedy to the tangled web of national personal data laws or just another onerous regulation to follow, the GDPR will soon be the law of every country in the EU and, as it turns out, far beyond. The new regulation will soon come into force, and for anyone within Human Resource who collect and process large amounts of personal data, the impact will be significant. HR managers will have to assess their current processes and procedures very carefully to ensure compliance or come face to face with hefty fines. Those who take a proactive approach now, plan and choose the right techniques will inevitably be better prepared in May. After all, the core of the GDPR is all about managing content, in this case personal information about individuals.