What is GDPR and what does it mean for HR?
GDPR stands for General Data Protection Regulation. Any organisation around the world, which has data of European individuals need to oblige to the General Data Protection Regulation. Companies of all sizes are affected and even companies outside the European Union (EU) need to have processes in place to ensure compliance. It means in practice that also a company outside the EU which is targeting EU consumers will be subject to the GDPR.
GDPR applies to the processing of personal data wholly or partly by automated means as well as to non-automated processing, if it is part of a structured filing system, which includes Human Resource Management, Payroll Administration and Employee file contacts database containing personal data but also, sending promotional emails, posting/putting a photo of a person on a website, storing IP addresses or MAC addresses and video recording (CCTV).
Enforcement date: May 25, 2018
The General Data Protection Regulation will be enforced by May 25, 2018. This regulation provides one set of data protection rules for all companies operating in the EU, wherever they are based.
Stronger rules on data protection mean
- people have more control over their personal data
- businesses benefit from a level playing field
Examples of personal data
- a name and surname
- a home address
- an email address such as email@example.com
- an identification card number
- location data (for example the location data function on a mobile phone)*;
- an Internet Protocol (IP) address
- a cookie ID*
- the advertising identifier of your phone
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person
Examples of data not considered personal data
- a company registration number
- an email address such as firstname.lastname@example.org
- anonymised data
GDPR in relation to Data Processor & Data Controller
A Data Controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the Data Processor is an entity which processes personal data on behalf of the Data Controller. The GDPR places accountability obligations on Data Controllers to demonstrate compliance. In certain circumstances Data Controllers and Data Processors must designate a Data Protection Officer (the DPO) as part of their accountability programme.
What can HR Departments do to prepare?
- GAP Analysis & Impact Assessment: It is advised to conduct a GAP Analysis and integrate a Data Protection Impact Assessment to identify potential privacy issues for example regarding employee records.
- Review current Policies and Procedures: Review the current Policies and Procedures an rewrite them according to the regulation.
- Draft new clear Policies and Procedures: Put in place clear policies and well-practised procedures including a framework (RACI) for responsibility and accountability. The GDPR requires that information provided should be in clear and plain language and easily accessible.
- European Works Council & local Works Council: formal discussion on presenting the roll out of GDPR plan and align with Works Council to make sure to be complaint.
- Data Protection Officer (DPO): Check if it is required in your company to appoint a Data Protection Officer.
- Cross-border data transfers: When transferring (employee) data cross border it is important to ensure that you have a legitimate basis for transferring personal data.
- Security: Work together with IT to ensure that appropriate encryption technology is deployed on all company devices given out to employees. Also make sure the current HR Information Software (HRIS) is in line with the Regulation.
- Talent Acquisition & GDPR: Make sure you check compliance in regards to applicants data, privacy notice and background checks.
- Third Parties HR: Check if contracts with third parties (recruitment agencies, Health & Safety Occupation Services (Arbodienst)comply with the requirements of GDPR.
- Employee records: Check if the employee data is compliant and where there is opportunity to minimise the amount of employee data.
- Training: Organise/coordinate training for stakeholders, managers and employees.
What are the penalties?
The GDPR has a tiered approach to penalties for breach, companies can be fined up to 4% of annual worldwide turnover and EUR 20 million. Another type of fine could be up to the higher of 2% of annual worldwide turnover and EUR 10 million. This category of fine would be applied for instance if a Data Controller does not conduct impact assessments, as required by the Regulation.
Source of information:
- European Commision on GDPR
- Rules for Organisations regarding GDPR
- Data transfer outside the EU
- Member Countries of EU
- EU-US Privacy Shield
In addition for companies in the United States: The previous Safe Harbor agreement was invalidated by the European Court of Justice. The EU-US Privacy Shield replaces the agreement and offers enhanced protections for EU data. Currently, there a lot of American companies that have signed on to the Privacy Shield, including Google and Facebook.