Everything you need to know for HR Compliance

GDPR: An overview for HR

The GDPR aims to protect the personal data of EU residents through a wide range of data privacy and security requirements. It applies to any employer that processes and holds personal data for employees residing in the EU. Even if a company is not based in Europe, it is subject to GDPR requirements if they have any employees or freelancers residing in the European Economic Area (they do not have to be citizens). Additionally, any third-party vendors that are contracted to process employee personal data must also comply.

The rule will be enforced through penalties for noncompliance. Fines can be as high as 20 Million EUR, or up to 4% of an employer’s annual global revenue for the preceding year (whichever is higher). In addition, employees will be able to take legal action against, and claim damages from, both employers and their third-party vendors.

Key changes for HR

The GDPR replaces the current 1995 EU Data Protection Directive (Directive 95/46/EC). The new regulation is aimed at giving individuals greater control over their personal data, which translates to big changes for employers and HR departments, including:

• A wider scope: The GDPR applies to all employers as long as they have EU-based employees. Employers based outside of the EU must comply if they handle, store, manage, or process EU residents’ personal data.
  

• Personal data redefined: The GDPR sets a broader, standard definition for personal data, which is “any information relating to an identified or identifiable natural person.” The standard for “identifiable” person is set low, so more data will be subjected to GDPR than with the current directive.
  

• Vendors held accountable: The GDPR directly regulates data processors for the first time. This includes any vendors HR uses to process employees’ personal data on its behalf.
  

• Standard breach notification requirements: Employers must report data breaches to supervisory authorities within 72 hours of becoming aware of the breach and notify affected employees without undue delay.
  

• New security roles: If a business regularly monitors personal data as part of its core activity, they must appoint a Data Protection Officer, which is a new requirement outside of Germany.
  

• New employee rights: The GDPR grants employees more control over how their data is used. They will have the right to access, obtain, rectify and request the deletion of their personal data. They will also have the right to be informed of how their data is used and to withdraw consent to it being processed (if consent was required and used as legal ground for data processing).

What HR needs to do to comply with GDPR

The GDPR introduces a considerable amount of new information and regulations, so HR departments will need to dedicate time and resources to cover each new compliance area. Some of the most important tasks HR must address are:

• Privacy policies: Not only does HR need to uphold new rights for employees, but they must also formalize and clearly spell out these rights for employees under the GDPR’s strengthened transparency and accountability requirements. HR will have to review and update its privacy policies to communicate these rights.
  

• Processes: As a result of the GDPR, HR will need to review and update many of their current processes. For example, the minimization principle means HR should collect only the data necessary for the task at hand. This means HR will need to rethink any process that involves requesting personal data from employees, such as onboarding and transfers.
  

• Security: With the stakes high for noncompliance, security must be managed in advance of the GDPR deadline. One step HR should take is to make sure the right employees have the right level of access when it comes to viewing employee data. Only those roles who truly need employee data should be able to access it (which applies to outside vendors, too!).
  

• Employee file management. The GDPR will result in new employee files that HR must have employees sign or acknowledge. On top of new documents, the GDPR places greater importance on timely document deletion since a company can be fined for holding onto data it doesn’t need. HR will need to review its current retention policies along with its process for managing document expiration dates.

Common GDPR misconceptions

Interpreting the GDPR can be difficult, so it comes as no surprise that there are several GDPR myths out there. Let’s set the record straight for those we hear most often:

You do not need to apply GDPR practices to EU citizens residing outside of the EU. For example, if you have an EU citizen who is working within the US and is being paid by a US-based payroll provider, the GDPR would not apply because your employee is not based in the EU, even if they are an EU citizen.

You can transfer personal data outside of the EU as long as it’s transferred to a country that has an adequate data protection decision from the EU Commission, or if you take appropriate safeguards (e.g. Privacy Shield certification). The EU determines what’s “adequate” data protection as well as what counts as a safeguard. Learn more about transferring data outside of the EU.

The GDPR wasn’t designed with the goal to fine employers, but rather to help them create processes that respect individual rights. Data Protection authorities know it will be a journey for employers to come into full compliance. When assessing fines, they will likely consider the compliance measures an employer has already taken or has underway, along with the impact of non-compliance.  

4. To track an employee’s data, all HR needs is the employee’s consent.

Not quite. Because employees are typically subordinate to employers, they may fear retribution if they refuse to consent to their employer’s data request. In this case, consent wouldn’t be wholehearted. To cover all bases, HR should instead have legal grounds for requiring the data. For example, an employer is obligated to pay employees, so requesting data to process payment is considered a valid legal ground.

5. GDPR Compliance is difficult and expensive

You don’t need expensive software or services to follow the principles of the GDPR. However, it will take some commitment. As with any project, it requires planning, dedicated resources, communication and ongoing program analysis. As far as software, you’ll want to be sure you have HR technology that eases the burden of compliance in general and is built for serving a global workforce.

How to get started with GDPR compliance

Achieving GDPR compliance requires a well thought-out strategy. Here, we outline the major milestones you’ll want to plan for. The details can be found in our Ultimate Checklist for GDPR Compliance.

• Partner with the right departments across your organization (IT, Legal, GCR) to carefully review all the data HR manages
• Assess whether the data is absolutely necessary to have on file
• Delete any data you don’t need
• Be sure you have a process in place for timely document deletion

Implement transparency

• Develop a way to inform employees about their rights in a clear and obvious manner
• Give employees access to a platform where they can easily correct and/or delete their personal information (when applicable)

Do a security check

• Review who has access to which data and put the right controls in place
• Build a data breach response plan (or review and update your current one)
• Plan for ongoing internal education around security
• Connect with all partners and vendors who have access to your employees’ data and find out how they will comply with GDPR

Assign accountability

• Determine whether your organization needs a Data Protection Officer (DPO)
• If you don’t need to hire a DPO, ensure you have a clear chain of command for all security and data management processes

The benefits of GDPR compliance

While GDPR compliance may be a challenge, it’s also an opportunity for HR to improve security and transparency, which has the benefit of enhancing the company’s employer brand. As a result of GDPR compliance, employers can:

• Standardize data management processes: Under the current Data Privacy Directive, laws differ by country. For any employer with international employees, managing the various legal requirements is complex and time consuming. The GDPR simplifies these requirements across all EU countries, giving HR the opportunity to standardize its processes. The result is easier record-keeping and less administrative burden for HR.

• Impress new hires and employees: Your employees will feel secure knowing their data is safe in your hands. New hires will feel at ease knowing their new employer is on top of the latest privacy practices. And, anyone who has had their data compromised in the past (or knows someone who has) will appreciate your organization’s commitment to security.

• Stand out from the crowd: With more and more companies experiencing data breaches, it behooves a company to take the GDPR seriously. Communicating GDPR compliance will show customers and investors that your company is proactive and digital-savvy.