Are you an American business owner with operations or customers in Europe? On May 25, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect, bringing about a number of significant changes in how organizations collect, process, manage and store personal data.
What is the GDPR?
The GDPR is a major update to the EU’s existing data protection rules, designed to reflect some of the defining trends of recent years such as globalization and accelerating growth in digital technology. Its intention is to strengthen and unify data protection for individuals within the EU.
In addition to EU-based companies, it will apply to any U.S. company collecting, processing, managing or storing the personal data of those in EU member states in relation to the delivery of goods or services or behavior monitoring.
What it means for employers
The GDPR will enforce several changes that employers – specifically HR departments – will need to be aware of when processing and handling employee data.
Among these is the concept of ‘data protection by design’, which requires employers to make data protection risks a key part of the process of designing and operating policies, processes, products and services. The GDPR also mandates ‘data protection by default’, which states that only the personal data required for each specific purpose should be collected and processed.
Another concept that falls under the umbrella of the GDPR is consent. Questions have been raised about the idea of employers processing personal data based on employee consent, given the imbalance of power in the employer/employee relationship. When the GDPR takes effect, organizations will have to comply with stricter requirements to ensure that consent is “freely given, informed, specific and explicit”.
As far as providing information for members of staff and job applicants is concerned, the new regulations will require employers to go into much more detail. Starting May 25, 2018 organizations will have to provide the following information:
- The identity and contact details of the employer (the data controller).
- Contact details for the data protection officer, if the company has one.
- The recipients of the data.
- How long the data will be stored for.
- The rights of the individual employee or applicant, including rights to access, rectify and request erasure of data.
Another key element of the GDPR is a requirement for companies to issue notifications of data breaches within 72 hours of becoming aware of them.
Regarding compliance, there will be much stricter penalties for those organizations that don’t adhere to the new rules. Fines could be as high as €20 million (currently £17.7 million) or four percent of total worldwide annual turnover, whichever is higher, so being ready to comply is extremely important.
A recent study conducted by Sage reported that 74 percent of US companies don’t feel confident that they are prepared for GDPR. 16 percent feel that they may be fined because they aren’t prepared.
Speaking at a roundtable hosted by Kaspersky Lab, Sue Daley, head of cloud, data, analytics and artificial intelligence at techUK, said firms providing training on this topic need to look for ways to make it “real” for their staff. She added: “The first step is to talk about it and get people to understand what it means.”
At the same event, Caroline Hinton, head of HR at radio production company Something’ Else, said companies should view GDPR compliance not as a “tick-box exercise”, but something that is specifically designed and made relevant for certain roles and departments.
The British Chambers of Commerce outlined some key steps businesses should be taking now, which include:
- Documenting the personal data, the company holds, where it came from and who it is shared with.
- Reviewing current privacy notices and planning for changes required before the implementation deadline.
- Checking procedures to guarantee individual rights outlined under the GDPR, such as the deletion of personal data and the electronic provision of data.
- Determining whether the organization requires a data protection officer.
BCC executive director David Riches urged businesses to “be proactive” in complying with the GDPR in order to avoid financial penalties and public scrutiny. He also reassured those firms that are already vigilant about their data protection responsibilities that they “won’t be unduly burdened by the new legislation”.
Source: Sage GDPR Customer Survey, January 2018, U.S.