Have you been hearing conflicting information about the General Data Protection Regulation (GDPR) and what HR must do to be compliant? It’s understandable as the GDPR isn’t so black-and-white. To help make it more clear, we set set the record straight for some of the most common misconceptions about the GDPR.
Myth: The GDPR applies to all EU citizens, even if they don’t work in the European Union
Truth: If you’ve been worrying about how to implement GDPR processes for EU citizens working outside the European Union, you can cross it off your to-do list. The GDPR only applies if your employees are physically located in the Union (or if you’re considered a Data Controller or Data Processor in the EU).
For example, if you have an EU citizen who is working in the US and is paid by a US-based payroll provider, the GDPR does not apply because the employee is not based in the EU, even though they’re an EU citizen. However, if the employee is living in the EU, the GDPR does apply.
Myth: You can’t transfer personal data outside the EU.
Truth: You can process personal data outside the EU as long as one of the following conditions are met: (A) The data is being transferred to a country deemed to have an “adequate” level of data protection by the EU, or (B) Appropriate safeguards have been taken in countries that don’t have an “adequate” level of protection (e.g., binding corporate rules or specific derogations).
Myth: Offenders will automatically get charged the maximum penalties
Truth: The GDPR wasn’t designed to fine companies, but instead help them create processes that respect individuals’ personal rights. Regulators will likely assess fines that are proportionate to the issue and take into account any compliance efforts that have been put in place. Various EU Data Protection Authorities have commented that repeated or intentional violations will likely lead to more substantial fines, but minor infringements in certain circumstances may only result in reprimand.
Myth: Compliance for HR teams is difficult and expensive
Truth: Although research shows that companies are spending over $1million on GDPR preparation, the reality is you do not have to pay for expensive solutions to follow the principles of the GDPR. However, it will take planning, dedicated resources, communication and ongoing program analysis (we outline the process in our step-by-step compliance plan). When it comes to technology, a digital platform that helps HR manage employee files and streamline processes will certainly ease the burden of GDPR compliance.
Looking for more clarification on GDPR requirements? International law firm Morgan Lewis will give the latest updates on the rule and clear up any confusion around compliance during our live webinar, 28 Shades of Gray: Making Sense of Member State Variances, taking place Thursday, March 1, 2018.
Robin is the HR Compliance Assist Manager at PeopleDoc. She joined the team to help customers remain in compliance globally and easily navigate foreign rules and regulations through HR Compliance Assist.
Previously, Robin managed client HR communications and provided outsourced HR support. She has a Masters in Psychological Counseling from Teachers College, Columbia University.