With the GDPR deadline fast approaching, HRZone asked ADP Chief Privacy Officer, Cécile Georges, to answer some key HR-related questions about this new regulation.
How does GDPR impact businesses?
If your organisation does business in the EU or handles EU residents’ personal data, regardless of whether or not your business is located in the EU, then GDPR has a direct impact on how your organisation handles this personal data.
The main purposes of GDPR are to harmonise data protection principles across the EU, and to give people more control over how their personal data is used. Personal data is a very broad term, so unless the data is fully anonymised, it is very likely that it will be covered under GDPR as long as the information does or could identify an individual, either directly or indirectly.
How does GDPR impact individuals?
It’s really about giving people more of a say over how companies collect, store and secure their data. The goal is to take into account internet and cloud technology, which generated new ways of exploiting data, while improving people’s trust in the digital economy.
How does GDPR impact HR professionals?
The first thing I’d stress is that with all aspects of GDPR, it’s best to think of it as a continuous process rather than a one-off task or box to be ticked.
May 2018 will be the starting point for the ongoing compliance. GDPR introduces an accountability approach: each company will have to do an assessment of their data processing activities, and will have to demonstrate and document their compliance with GDPR through the holding of HR records data-processing activities and the implementation of data protection by design principles and processes.
HR will have to perform data protection impact assessments on their projects, and document their data protection measures.
Does GDPR also apply when personal data are processed outside the EU?
The answer is yes, as long as such data relates to an EU resident. In other words any data collected in the EU are governed by GDPR.
What happens when a former employee asks to be forgotten?
As a matter of principle, personal data should not be processed for longer than necessary considering the purpose of the processing. However, the employer should verify that the conditions set out by GDPR for the right to be forgotten are met, because this right is not an absolute right. In the context of payroll and HR, an employer may have mandatory retention schedules to comply with.
Should all companies appoint a Data Protection Officer?
Not all companies will have to appoint a DPO. It will depend on the volume of data they process and the sensitivity of such data.
What should an organisation do in case of a data breach?
An incident response plan is critical to help protect personal data and comply with legal requirements. In case the data breach is considered as a reportable incident, the organisation will have to report the personal data breach to the relevant Supervisory Authority within 72 hours of being made aware of the incident.
In addition, if the personal data breach triggers high risk for the rights of the individuals affected by the breach, then the organisation may have to notify these individuals of such a breach.
What are the non-compliance consequences?
Failure to comply with GDPR can trigger on-site investigations (dawn raids) performed by the Supervisory Authorities (data protection authorities). A company can be fined up to 20 million euros or 4% of its worldwide revenue, whichever of the two figures happens to be higher, for certain types of infringements.
Fines can be up to 10 million euros or 2% of a company’s worldwide revenue, whichever is the higher, for other types of infringements. Supervisory Authorities will also be empowered to impose sanctions such as compliance orders or a full stoppage of personal data processing. Companies may also face private claims for compensation from affected individuals.
How should an organisation prepare for GDPR?
Now is the time to do something as the clock is ticking, and the workload should not be underestimated.
We would recommend the following:
-
Perform an analysis of the GDPR requirements and determine how it applies to your company
-
Review your existing processes and map the flow of data that you are handling.
-
Identify gaps that will need to be remediated
-
Develop an action plan and involve appropriate stakeholders: Privacy, Legal, HR, IT, Sales & Marketing and others
-
A key part of this project will be to document and confirm completion of the actions that will require you to test and control the actual implementation of such actions
-
Design your governance programme because GDPR is all about accountability and capability to demonstrate compliance on an ongoing basis
-
The capacity of each company to demonstrate compliance with GDPR will be key because GDPR grants much more power to the regulators in each Member State of the European Union to audit, investigate, and potentially apply severe sanctions