The biggest shake up in personal data protection in 20 years will soon hit businesses in the EU. The fines for non-compliancy are greater than ever. Is your organization ready and prepared for the new legislation?
What is GDPR?
The General Data Protection Register (GDPR) is the EU's new legislation on data privacy. It's aim is to provide greater data protection to individuals based in the EU. It replaces the EU's Data Protection Directive as well as the UK's Data Protection Act and it comes into force in less than 1 year, in May 2018.
Who does it affect?
GDPR affects any business, whatever size, that handles personal data of EU individuals. The penalties are severe for any organizations that are found to be non-compliant, with fines of up to €20M or 4% annual turnover.
One of the most important changes is increased jurisdiction, with the legislation now also applying to businesses that provide services into the EU, with US-based companies arguably amongst those most affected.
How does it relate to HR departments?
The principles of GDPR are largely similar to the EU Data Protection Directive, but are intended to "raise the bar" for privacy protection of EU individuals. The main differences that have an impact on HR responsibilities include:
1. The right to be forgotten - organizations must erase employees data upon request.
2. Employee consent - organizations must seek consent from an employee in order to process the employee's personal data. Such consent must be unambiguous and the refusal to give consent must not be detrimental to the employee.
3. Right to access - organizations must provide individuals access to the personal data being tracked upon request and must also provide a way for employees to be able to request the correction of incorrect data.
4. Breach notification - Organizations must notify the supervisory authority within 72 hours of a breach and must also notify employees without undue delay if the breach might affect their rights and freedoms.
5. Data portability - organizations must provide a way for employees to transmit their personal data to another entity.
6. Privacy by design - organizations that collect personal data should only store such data for as long as is necessary and should limit access of such data to only those that need access to it.
7. Greater fines for non compliance -fines of up to €20M or 4% annual turnover.
What preparation can HR departments do now?
1. Audit your current situation. Identify the data systems within your organization that store or process personal information and how they will need to be improved or replaced. For instance, if your department uses spreadsheets to record employee information, consider switching to an HR system that can help facilitate GDPR compliance.
2. Establish a data breach policy and a data retention policy and identify which data systems this should affect and ensure that such data systems are capable and configurable to comply with the policy.
3. Consider how you will establish procedures for providing employees access to their own personal data and for meeting data correction requests. Systems that provide some level of employee self-service will reduce the overhead and onus on HR departments for meeting the new 30 day deadline on responding to requests.
4. Review your current employee contracts for clauses around data protection and consents for storage and processing of personal information. Such clauses may not be considered "unambiguous consent" under the new GDPR legislation. Decide how you will obtain specific consent for specific purposes and how you will maintain detailed records to demonstrate when and how consent was given. Also work out how your processes will deal with the withdrawal of consent or refusal to give consent.
5. Consider where your employee's personal data is stored. If it is stored on your behalf by a supplier that hosts the data outside the EU then consider finding a way to move the data to the EU. If this is unfeasible then, to comply with GDPR, you should ensure that such suppliers provide an adequate level of protection to employee data.
With the penalties for non-compliance great than ever and with the deadline fast approaching there is no time like the present to start planning for the new GDPR legislation.
Simon Bates is CEO of Workteam, an HR Management System for businesses of all sizes with a focus on growing employee engagement. Visit http://workte.am to find out how it can benefit your organization.