Four things to know about the biggest change to data protection laws in 30 years.
By Cecile Georges
Keeping up with the 50,000 or more legislative changes that occur around the world each year can be a daunting task for any HR team. But now, HR leaders of multinational companies need to brace themselves for a particularly large regulatory change: the European Union’s General Data Protection Regulation (GDPR).
Starting May 25, 2018, the GDPR will take effect and impact all companies that operate in the European Union (EU) or process the personal data collected within the EU. This shakeup represents the biggest change to data protection laws in 30 years, promising a new era of data governance and enhanced requirements in security and personal data processing.
For some, privacy protection reform was long overdue. The rise of the internet and globalisation has triggered a steady increase in international data flows. And although sending personal data abroad has long been subject to restrictions, for many, these attempts to safeguard data globally never went far enough.
The GDPR is the result of four years’ work by the EU to give people more control over how their personal data is collected, stored, and secured. Under the GDPR, the term “personal data” covers a lot more than it used to. It could mean any information that does or could identify a specific individual, either directly or indirectly, such as a person’s name and birth date, their IP address, or information on their economic or health situation.
The regulation replaces the Data Protection Directive from 1995 and was designed to iron out the current disparity of data protection regimes across the 28 EU-member states. By providing a single data protection framework, businesses operating within the EU will gain a simpler legal environment.
It’s fair to say that the GDPR is really a set of global data protection regulations, as most businesses these days— even small and midsize ones— are powered by cloud computing, deploy mobile devices, and do business with European partners or customers at some point during the year.
The real question, however, is whether companies are prepared for the change. A Dell survey found that small businesses, midsize businesses, and large enterprises all lack general awareness of the requirements of the new regulation. The same survey also showed that most businesses don’t know how to prepare for it and are unfamiliar with the impact of non-compliance on data security and business outcomes. In fact, more than 80 per cent of global respondents knew few details or nothing at all about the GDPR.
Here are four factors HR needs to consider surrounding compliance.
1. Fines can be hefty. With just 11 months left to prepare, organisations can’t afford to be indifferent—literally. Failure to comply with the GDPR can trigger on-site investigations and fines up to 20 million euros or four per cent of a company’s worldwide revenue, whichever is higher. Companies can also face private claims for compensation from affected individuals. Regulatory agencies can also impose sanctions such as compliance orders or a full stoppage of personal data processing.
2. Get ready for more accountability. The GDPR signifies a shift away from companies filing their data processing with data protection authorities, which are responsible for assessing whether or not the data processing was compliant. Now, each company will have to proactively conduct this assessment itself and demonstrate and document their compliance with GDPR through records of HR data-processing activities. They will also have to perform a data protection impact assessment on their high-risk projects, document their data protection measures, and appoint data protection officers when required.
3. Compliance with cross-border data transfers is a must. Cross-border data transfers affect any organisation that needs to transfer personal data out of the EU, so companies that use cloud-based services, remote-access services, or global HR databases will need to think about the mechanisms they’re going to use to legitimise their data transfers.
One of the main objectives of the GDPR is to make international data transfer easier. In a nutshell, the data center doesn’t necessarily have to be EU-based. Rather, the GDPR offers alternatives and removes administrative barriers to data transfers by no longer requiring prior authorisation from the data protection authorities when standard data transfer mechanisms are used. Companies that carry out international data transfer will now have a choice when it comes to complying with the GDPR: They can opt for the standard model clauses issued by the European Commission, limit their data transfer to countries that provide an adequate level of protection according to the European Commission, or legitimise such transfers through the mechanism of binding corporate rules (BCRs).
Consider BCRs. BCRs are policies developed internally by a group of companies. They provide the group with one set of rules for protecting the personal data of employees and another set of rules for clients and other individuals with a high standard of protection. Once the BCRs are approved by the EU data protection authorities, companies can use them to carry out personal data transfers without having to go back and seek authorisation each time.
BCRs also simplify the data transfer process into a natural extension of existing corporate compliance policies and procedures, and they show that commitment to protecting clients’ and employees’ personal data to the highest standards required in the EU.
When gearing up for compliance with the GDPR, remember this: It’s best to think of the regulation as a continuous process rather than a one-off task or box to be ticked. It’s a long journey but one that presents a real opportunity for HR departments to move from the back office to the boardroom. According to IDC®, 75 per cent of HR leaders are using the GDPR as a catalyst for turning their human capital management (HCM) technology into a tool for real business transformation. Now’s the time to assess existing HR service providers—their financial strength, stability, and capacity to comply with the GDPR. Armed with the right partner, HR leaders will be better able to serve as strategic business partners who can pinpoint the potential costs and risks to the business associated with non-compliance—whether those costs are financial, reputational, or damaging to morale and employee engagement.