The clock continues to tick down towards May 25, 2018 when the General Data Protection Regulation (GDPR) will officially be enforced. Any organization that processes the personal data of European Union citizens is expected to comply with the new rules that aim to protect and empower the data privacy of all EU citizens.
With just nine months left, many organizations across Europe and around the world are still scrambling to enact the appropriate policies and procedures that will ensure their compliance. A recent survey revealed that only 2% of IT professionals in the United States believe that their organization is fully prepared for the GDPR. IT isn’t the only department that needs to prepare, though.
How does the GDPR affect HR’s role?
Any organization that employs citizens located in the European Union must familiarize themselves with GDPR requirements and evaluate their current procedures immediately. The GDPR not only protects the rights of consumers, it also protects the privacy of the EU workforce.
Human Resources regularly processes a vast number of sensitive records that include personal information. From the initial onboarding process to the personnel records kept throughout an employee’s tenure and even after their departure from the company, HR policies and procedures should be audited to identify and improve the areas where they are not currently compliant with the GDPR.
A Little History
Although the GDPR will be replacing the Data Protection Directive (Directive 95/46/EC) of 1995, the main principles of both stem from an even older set of guidelines presented by the Organisation for Economic Co-operation and Development (OECD) all the way back in 1980. These recommendations were endorsed by both the EU and the U.S. and were established to protect the fundamental human right of privacy. The guidelines proposed that the amount of personal data collected should be limited and relevant to the purposes for which it is used, as well as that all personal data should be protected by reasonable security safeguards.
With these principles in mind, the Data Protection Directive was enacted as a way to harmonize all of the data protection laws across the European Union. But, over the years, the framework of the directive became outdated and required updates to ensure that personal data was still protected from emerging security risks.
An Increasingly Vast Data Landscape
It’s no surprise that a lot of things have changed since the creation of the Data Protection Directive in 1995. When Directive 95/46/EC was put into place, only 0.4% of the world’s population used the internet. By 2016, 85% of households in Europe were able to access the internet from their very own home. Innovation has played a huge role in the rise of the Information Age and the ways in which data is now collected and processed, but it has also created some major gaps in the directive’s ability to protect the personal information of EU citizens.
The GDPR is intended to provide the necessary privacy standard updates that will fit with the technology of today while leaving enough room to continue to protect the privacy of citizens regardless of where future waves of innovation take us.
The Collapse of Safe Harbor
A catalyzing event leading up to the creation of the GDPR was the collapse of the Safe Harbor Framework which was negotiated and put into place by the U.S. and the EU in 2009. About 4,500 companies relied upon this agreement to legally transfer data from Europe to the U.S., and vice versa.
In 2015, Safe Harbor was invalidated after the European Union determined that the European Commission had not appropriately evaluated the US’s ability to maintain an equivalent protection of EU citizens’ data.
Key Changes of GDPR
The overarching rules of the GDPR will have a significant impact in three important areas:
- Increased Territorial Scope
GDPR will not merely affect EU businesses. Any U.S. company, and in fact any company around the world that processes the personal data of EU citizens must comply.
- Increased Consent
All organizations must obtain the consent of EU citizens in clear, easy-to-understand language. It must also be as easy for someone to withdraw their consent as it is to give it.
- Increased Penalties
Under the GDPR, companies that do not comply will face big fines as high as 4% of their annual global turnover or $20 million euro. And, no one is exempt! Fines will apply to both controllers and processors of data.
So, what does all of this mean for HR professionals?
HR professionals are responsible for managing and protecting sensitive personnel records, as well as the secure destruction of those documents at the end of their retention schedule. Organizations that employ residents of the EU will need to review how they collect, handle and protect data, including in the following types of records:
- Applications, Resumes and Verification Documents
- Payroll and Benefit Selections
- Certifications, Licenses and Credentials
- Performance Management Records
- Training and Development Records
- Retirement and Termination Documents
Under the GDPR, HR will need to ensure that all records and onboarding forms very clearly give individuals the opportunity to make an informed choice to consent, as well as to withdraw that consent. Separate forms for very specific purposes may be necessary, and HR departments will need to maintain detailed records of when and how consent is provided for each employee.
All EU citizens will also have the right to access the data their employer holds about them, and businesses will need to provide this information “without undue delay.” Depending on your HR processes and the amount of data you’ve collected from an employee, implementing digital solutions that allow you to automate and streamline your processes can help ensure that data is accessible and shareable to the appropriate parties.
HR will also play a vital role in how organizations respond to data breaches. All data breaches, even those that occur due to common workplace mistakes, must be reported within 72 hours. This means that all team members will need to be trained in preventing, recognizing and addressing data breaches according to a clear response plan. If your organization does not already have a data breach response plan in place, it’s imperative that one be established and enforced now.
Where to Start
First and foremost, HR leaders must familiarize themselves with the new requirements under the GDPR. Consulting with experts in international HR compliance in the countries in which operations exist would be a prudent approach given the variation that exists on a country by country basis. Additionally, an HR audit will allow you to identify the personal information that you process as well as any holes in your process. From there, new policies and procedures in line with GDPR requirements can be implemented.
GDPR success will rely upon a team effort, and HR professionals will likely play a key role both in driving compliance in HR matters but also in ensuring all members of an organization are thoroughly trained in the procedures that ensure compliance with the statute.