Data privacy under the EU’s General Data Protection Regulation
The EU’s General Data Protection Regulation (GDPR) is the most sweeping data privacy regulation in decades. It protects personally identifying information (PII) for EU citizens that is collected, used, stored, or transmitted by businesses. GDPR came into full force on May 25, 2018 in all EU Member States, including the U.K. However, U.S. companies aren’t off the hook—the GDPR impacts any global business with customers or employees located in Europe.
Last year, Gartner predicted that more than 50% of companies affected by GDPR will not achieve full compliance with its requirements by the end of 2018. Businesses must act quickly and decisively to avoid hefty fines and penalties.
Does your company need to comply?
Most multi-national organizations will have to comply with GDPR. Even in a U.S. headquartered company with no direct operations in the EU, the chances are good that the organization collects, stores, processes, or transmits the personal data of an EU citizen if it has a significant internet presence.
When it comes to noncompliance, the GDPR has big teeth. Penalties will be a severe hit to the bottom-line of any business and will be assessed by the severity of the infringement. A lower level infringement may carry a fine of up to $11.5 million dollars or 2% of worldwide annual revenue. A higher level infringement carries a fine of up to $23 million dollars or 4% of worldwide annual revenue.
What constitutes “personal data”?
Any piece of data that can help identify an individual person is considered personal data. According to employment law firm, Jackson Lewis P.C., this can include name, ID number, location, online identifier, IP address, cookie strings, social media posts, online contracts, mobile device IDs, and any information about a person’s physical, mental, genetic, cultural, or social identity.
Areas of GDPR compliance impact on HR
HR and payroll departments should carefully consider GDPR impacts on existing data processes. Consult legal counsel about taking these steps toward compliance:
- Hire a data protection officer (DPO). The GDPR requires data controllers and processors to designate a DPO in most large organizations.
- Audit employee data processing. Identify all instances of PII that flow through your department. Consider the recruiting and hiring process, the payroll process, the benefits enrollment process, and so on. You will need to establish and maintain a record of processing activities that tracks what data you process and for what purpose. Each processing of employee PII must have a legitimate purpose under the regulation.
- Provide for new employee rights. The GDPR grants employees (including ex-employees and job candidates) with new privacy rights, including:
- Right to access personal data and know whether it is being processed
- Right of rectification to correct inaccurate personal data
- Right to erasure, or ‘to be forgotten’, in specific instances
- Right to restrict processing of PII, in specific circumstances
- Review third-party data processors. Who are you transmitting employee PII to and for what purpose? Think about providers of payroll processing services, benefits carriers, and background verifications. Background checks are only allowed in specific circumstances under the GDPR. Third parties under contract with your organization that have legitimate reasons to process your employee data must be in compliance with GDPR.
GDPR resources for HR professionals
Consult these websites to learn more about what GDPR requires of employers:
EUGDPR.org is a web portal that provides an overview of the regulation and FAQs. It also summarizes every article contained in the regulation.
Society for Human Resource Management (SHRM) provides a collection of GDPR focused articles, many written by top legal experts.
Jackson Lewis Workplace Privacy Report features GDPR articles nearly every month, and you can easily access past issues and search by topic.
HR Technologist offers GDPR articles specifically for the HR function.
HR departments that lack solid organizational processes for storing and accessing employee data will have greater difficulty coming into compliance with the GDPR. Asure’s Human Capital Management solutions offer a single-database system to provide a centralized location for all your workforce and HR management needs.