General Data Protection Regulations – Why You Should Pay Attention
The European General Data Protection Regulation (GDPR) comes into effect on May 25, 2018. According to the International Data Corporation, this new legislation represents the biggest change to data protection law in three decades. It requires organisations to comply with both large-scale GDPR standards and country-specific employment regulations.
How do you ensure your organisation is prepared for a smooth transition to GDPR guidelines? The GDPR’s tiered penalty system is strict, and mentions fines of up to €20 million or 4% of your company’s global annual turnover for the preceding financial year, whichever is greater. Educate yourself on the nuances of the GDPR, and make sure your employees have systems in place to ensure compliance.
Does it apply to you?
From manufacturing companies, to online start-ups – it doesn’t matter whether or not you have an actual physical presence in the EU. You still need to abide by GDPR if you:
- Sell goods or services to EU citizens and residents
- Operate a website that uses technologies (such as cookies) to monitor people, some of whom may be based in the EU
- Employ any residents of the EU
- Collect any sort of data that may include information about EU citizens
Sounds like a lot! Data collection from anyone in the EU will mean you have to comply with the GDPR rules. GDPR nuances are many, and include notification on a stricter definition of consent, laws on profiling, data handling, data retention, data processing, breach notification requirements, and much more. It’s best to have your lawyer read the specifics, and that too before 25 May 2018.
Are SaaS-heavy companies particularly affected by GDPR?
The very nature of SaaS software makes it a challenge for IT and compliance departments when it comes to GDPR. Your company’s cloud ecosystem (or even another company’s cloud software that you use) involves several licenses and subscriptions, many perhaps unused or unmanaged and even forgotten. You will need to get all your licenses, data and applications in order – and have a complete picture of where they all reside. And then you will need to ensure they are compliant with the new regulations. Gather your IT, procurement, compliance, HR and legal teams to work on this, so you’re well in the clear by the time May 2018 rolls around. Start with reading the EU GDPR website.
Is GDPR relevant only to European companies?
In short, no. GDPR will affect any Indian company that provides goods or services to consumers in the EU, or monitors the behaviour of people located in the EU. This is regardless of where the company’s offices or servers are based.
Will GDPR apply to the UK in light of Brexit?
Yes, the GDPR will also apply in the UK since it will still be part of the EU when the new regulations take effect.
Data, Data, Data
The GDPR sets out comprehensive new rules for privacy notices, consent and data breach notifications, among other things. Under current rules, employers must provide staff and applicants with privacy notices. Under GDPR, these notices must specify how long data will be stored, if it will be transferred out of the EU and also make it clear that individuals can make both access and deletion requests under certain circumstances.
Data Controllers will be required to notify the relevant data protection authorities within 72 after they have been made aware of a data breach that could potentially cause risk to the rights and freedoms of individuals.
Preparing for the new data landscape
The new EU legislation is clear: Data privacy is of paramount concern, and businesses that want to operate in any member states must be prepared to comply.
Here are steps to jump-start the process:
- Audit HR processing — How are you handling personal data? Do you hold a registry of applications, processes, and categories of data being processed by your organisation?
- Prep for Individual Rights Requests — The GDPR requires individual requests for information/deletion to be addressed and in a maximum of one month. Assess your current processes.
- Implement an HCM solution — You may not have the technical expertise or available IT staff to make necessary changes in the next year. Cloud-based HCM tools can help you meet compliance standards without ignoring current HR needs.
- Update privacy notices — Make sure your privacy notices address all GDPR obligations.
- Evaluate your risk — As noted by Information Age, it’s a good idea to assess your risk of data breach and implement necessary safeguards. While the new rules don’t demand specific tech solutions to defend personal data, state-of-the-art methods and software are the expectation.
GDPR represents a significant shift in the way personal data is handled, processed and secured. We invite you to join ADP’s data privacy experts for a special recorded webinar to learn more about the impending GDPR legislation and make sure your organisation is ready to face the turbulence ahead.
Some parts of this post were excerpted from the ADP Spark blog.