What is GDPR and how does it affect HR?

Everything you need to know about the General Data Protection Regulation

February 10, 2018 – GDPR stands for General Data Protection Regulation. Any organisation around the world, which has data of European individuals need to oblige to the General Data Protection Regulation. Companies of all sizes are affected and even companies outside the European Union (EU) need to have processes in place to ensure compliance. It means in practice that also a company outside the EU which is targeting EU consumers will be subject to the GDPR.

GDPR applies to the processing of personal data wholly or partly by automated means as well as to non-automated processing, if it is part of a structured filing system, which  includes Human Resource Management, Payroll Administration and Employee file contacts database containing personal data but also, sending promotional emails, posting/putting a photo of a person on a website, storing IP addresses or MAC addresses and video recording (CCTV).

Enforcement date: May 25, 2018

The General Data Protection Regulation will be enforced by May 25, 2018. This regulation provides one set of data protection rules for all companies operating in the EU, wherever they are based.

Stronger rules on data protection mean

  • people have more control over their personal data
  • businesses benefit from a level playing field

Examples of personal data

  • a name and surname
  • a home address
  • an email address such as name.surname@company.com
  • an identification card number
  • location data (for example the location data function on a mobile phone)*;
  • an Internet Protocol (IP) address
  • a cookie ID*
  • the advertising identifier of your phone
  • data held by a hospital or doctor, which could be a symbol that uniquely identifies a person

*Note that in some cases, there is a specific sectoral legislation regulating for instance the use of location data or the use of cookies – the ePrivacy Directive 

Examples of data not considered personal data

  • a company registration number
  • an email address such as info@company.com
  • anonymised data

GDPR in relation to Data Processor & Data Controller
A Data Controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the Data Processor is an entity which processes personal data on behalf of the Data Controller. The GDPR places accountability obligations on Data Controllers to demonstrate compliance. In certain circumstances Data Controllers and Data Processors must designate a Data Protection Officer (the DPO) as part of their accountability programme.

What can HR Departments do to prepare?

  • GAP Analysis & Impact Assessment: It is advised to conduct a GAP Analysis and integrate a Data Protection Impact Assessment to identify potential privacy issues for example regarding employee records.
  • Review current Policies and Procedures: Review the current Policies and Procedures an rewrite them according to the regulation.
  • Draft new clear Policies and Procedures: Put in place clear policies and well-practised procedures including a framework (RACI) for responsibility and accountability. The GDPR requires that information provided should be in clear and plain language and easily accessible.
  • European Works Council & local Works Council: formal discussion on presenting the roll out of GDPR plan and align with Works Council to make sure to be complaint.
  • Data Protection Officer (DPO): Check if it is required in your company to appoint a Data Protection Officer.
  • Cross-border data transfers: When transferring (employee) data cross border it is important to ensure that you have a legitimate basis for transferring personal data.
  • Security: Work together with IT to ensure that appropriate encryption technology is deployed on all company devices given out to employees. Also make sure the current HR Information Software (HRIS) is in line with the Regulation.
  • Talent Acquisition & GDPR: Make sure you check compliance in regards to applicants data, privacy notice and background checks.
  • Third Parties HR: Check if contracts with third parties (recruitment agencies, Health & Safety Occupation Services (Arbodienst)comply with the requirements of GDPR.
  • Employee records: Check if the employee data is compliant and where there is opportunity to minimise the amount of employee data.
  • Training: Organise/coordinate training for stakeholders, managers and employees.

What are the penalties?

The GDPR has a tiered approach to penalties for breach, companies can be fined up to 4% of annual worldwide turnover and EUR 20 million. Another type of fine could be up to the higher of 2% of annual worldwide turnover and EUR 10 million. This category of fine would be applied for instance if a Data Controller does not conduct impact assessments, as required by the Regulation.

Source of information: 

In addition for companies in the United States: The previous Safe Harbor agreement was invalidated by the European Court of Justice. The EU-US Privacy Shield replaces the agreement and offers enhanced protections for EU data. Currently, there a lot of American companies that have signed on to the Privacy Shield, including Google and Facebook.

More from HRM Netherlands

Marieke Stoop

Marieke Stoop is the founder of Human In Progress. She is the content owner of the HR Portal NL covering Human Resources best practices with a focus on leadership, trends and labour law.