GDPR and Its Salient features

On May 25, 2018, the new European privacy regulation called The General Data Protection Regulation (GDPR) came into effect.

According to the GDPR directive, personal data is any information related to a person such as a name, a photo, an email address, bank details, and updates on social networking websites, location details, medical information, or a computer IP address.

Under the GDPR, individuals have:

  1. The right to access – Employee have rights to access their Personal data/information and know how their data is consumed by the organization after it is collected. The company must provide a copy of the personal data, free of charge and in electronic format if requested.
  2. The right to be forgotten – if consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
  3. The right to data portability – Individuals have a right to transfer their data from one service provider to another. And it must happen in a commonly used and machine readable format.
  4. The right to be informed – this covers any gathering of data by companies, and individuals must be informed before data is gathered. Consumers have to opt in for their data to be gathered, and consent must be freely given rather than implied.
  5. The right to have information corrected – this ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
  6. The right to restrict processing – Individuals can request that their data is not used for processing. Their record can remain in place, but not be used.
  7. The right to object – this includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
  8. The right to be notified – If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.

Implications of GDPR

All organizations and companies that work with personal data should appoint a data protection officer or data controller who is in charge of GDPR compliance.

There are tough penalties for those companies and organizations who don’t comply with GDPR fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater.

Many people might think that the GDPR is just an IT issue, but that is the furthest from the truth. It has broad-sweeping implications for the whole company, including the way companies handle marketing and sales activities.

GDPR applies to all businesses and organizations established in the EU, regardless of whether the data processing takes place in the EU or not. Even non-EU established organizations will be subject to GDPR. If your business offers goods and/ or services to citizens in the EU, then it’s subject to GDPR.

 

What is the idea behind GDPR?

It’s fair to say that legislation has failed to keep pace with the speed at which technology and big data has advanced – particularly our ability to gather, store and analyze data. GDPR is therefore designed to enhance data protection and the right to privacy for EU citizens, giving them greater control over their personal data and how it is used.

GDPR represents a complete overhaul of the legal requirements that must be met by any company handling EU citizens’ personal data – and that includes employees’ personal data.

The implications of GDPR are not to be sneezed at. Companies who fall foul of the regulation and are found to be misusing personal information face stiff fines of up to €20m or 4% of annual worldwide turnover, whichever is the greater of the two.

Why HR teams need to get consent for employee data

Consent is a critical pillar of the new legislation, and GDPR states that companies can only use personal data for the express purpose for which it was given. For HR teams, this means employees must explicitly opt in to allow their employer to use their personal data, and they must be made fully aware of how that data will be used.

In other words, you need to be transparent with your employees about what data is being collected, for what purpose, and how that data will be used. This can be clarified through a simple data privacy statement that’s signed by employees. Then, crucially, you can only use the data for the purpose for which it was handed over; if you want to use the data for a different purpose, you should seek new permission.

Consequences of GDPR in the workplace

The GDPR contains a substantial number of ‘new’ standards and rules, the most important changes being:

  1. Additional rights for employees
  2. Data Protection Impact Assessment
  3. Data Protection Officer

We will briefly discuss these three topics below.

1. Additional Rights for Employees

Employees will acquire a number of additional rights to reinforce control over their own personal data. For example, the right of access has been extended. This gives the employee the right to be informed about:

  1. How long the employer aims to keep the data;
  2. whether the data will be used for automated decision-making,
  3. whether the employer intends to transfer the data abroad, and if so,which safeguards will be provided in that context.

 

This puts extra responsibility on anyone working with personnel data.

Furthermore, the employer must inform the employee about the right to rectification and the right to lodge a complaint with a supervisory authority. An individual employee also has a right to erasure. This provides, under specific circumstances, the right to be forgotten.

 

2. Data Protection Impact Assessment

The Data Protection Impact Assessment (DPIA) is a way of analyzing potential privacy risks.

A DPIA should be carried out when the processing of personal data will most likely result in a high risk to the rights and freedom of the employee.

 

A DPIA is mandatory in the following situations:

  1. Profiling: when a systematic and extensive assessment is made of personal aspects relating to natural persons, based on which decisions must be made that could have legal consequences for those natural persons.
  2. Data processing: when large-scale processing of special personal data is carried out;
  3. Monitoring efforts: when publicly accessible spaces are monitored systematically and on a large scale.

 

 

3. Data Protection Officer

Under the GDPR, it is mandatory for certain controllers and processors to designate a Data Protection Officer (DPO). The controller is the owner of the data and determines who can process it. The processor is the body which processes personal data on behalf of the controller. This includes third parties that do data analysis on your HR data.

The GDPR requires the designation of a DPO in three specific cases:

  1. Where the processing is carried out by a public authority or body.
  2. Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale.
  3. Where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offenses.