The General Data Protection Regulation (GDPR) is the EU’s new data privacy regulation that goes into effect May 25, 2018. Because employees generate a large amount of personal data that HR must collect, manage and store, the GDPR directly affects how HR does its job. Even a simple Excel file containing contact information constitutes personal data and is subject to GDPR requirements. Keep reading for everything HR needs to know to prepare for GDPR compliance.
The GDPR aims to protect the personal data of EU residents through a wide range of data privacy and security requirements. It applies to any employer that processes and holds personal data for employees residing in the EU. Even if a company is not based in Europe, it is subject to GDPR requirements if they have any employees or freelancers residing in the European Economic Area (they do not have to be citizens). Additionally, any third-party vendors that are contracted to process employee personal data must also comply.
The rule will be enforced through penalties for noncompliance. Fines can be as high as 20 Million EUR, or up to 4% of an employer’s annual global revenue for the preceding year (whichever is higher). In addition, employees will be able to take legal action against, and claim damages from, both employers and their third-party vendors.
The GDPR replaces the current 1995 EU Data Protection Directive (Directive 95/46/EC). The new regulation is aimed at giving individuals greater control over their personal data, which translates to big changes for employers and HR departments, including:
The GDPR introduces a considerable amount of new information and regulations, so HR departments will need to dedicate time and resources to cover each new compliance area. Some of the most important tasks HR must address are:
Interpreting the GDPR can be difficult, so it comes as no surprise that there are several GDPR myths out there. Let’s set the record straight for those we hear most often:
You do not need to apply GDPR practices to EU citizens residing outside of the EU. For example, if you have an EU citizen who is working within the US and is being paid by a US-based payroll provider, the GDPR would not apply because your employee is not based in the EU, even if they are an EU citizen.
You can transfer personal data outside of the EU as long as it’s transferred to a country that has an adequate data protection decision from the EU Commission, or if you take appropriate safeguards (e.g. Privacy Shield certification). The EU determines what’s “adequate” data protection as well as what counts as a safeguard. Learn more about transferring data outside of the EU.
The GDPR wasn’t designed with the goal to fine employers, but rather to help them create processes that respect individual rights. Data Protection authorities know it will be a journey for employers to come into full compliance. When assessing fines, they will likely consider the compliance measures an employer has already taken or has underway, along with the impact of non-compliance.
4. To track an employee’s data, all HR needs is the employee’s consent.
Not quite. Because employees are typically subordinate to employers, they may fear retribution if they refuse to consent to their employer’s data request. In this case, consent wouldn’t be wholehearted. To cover all bases, HR should instead have legal grounds for requiring the data. For example, an employer is obligated to pay employees, so requesting data to process payment is considered a valid legal ground.
5. GDPR Compliance is difficult and expensive
You don’t need expensive software or services to follow the principles of the GDPR. However, it will take some commitment. As with any project, it requires planning, dedicated resources, communication and ongoing program analysis. As far as software, you’ll want to be sure you have HR technology that eases the burden of compliance in general and is built for serving a global workforce.
Achieving GDPR compliance requires a well thought-out strategy. Here, we outline the major milestones you’ll want to plan for. The details can be found in our Ultimate Checklist for GDPR Compliance.
Do a security check
While GDPR compliance may be a challenge, it’s also an opportunity for HR to improve security and transparency, which has the benefit of enhancing the company’s employer brand. As a result of GDPR compliance, employers can: