The General Data Protection Regulation is the biggest change to data protection laws in over 20 years. It aims to give EU citizens more control over their personal data and comes into effect on May 25th 2018.
Although this is a change to EU law, it’s affect will reverberate around the world as it applies to any company that holds citizen’s personal data in Europe. The onus is on these companies to achieve GDPR compliance. It’s a victory for the little guy and therefore, more control over personal data should be championed. However, it makes achieving GDPR compliance a complex challenge for companies.
For example, any company that breaches the General Data Protection Regulation faces fines up to 20 million euro or 4% of global turnover. Not to mention reputational damage that a company may struggle to come back from. Below we look at some of the other ways employers will face extra burden as they strive for GDPR compliance.
At the moment, employers are required to provide employees and job applicants with a privacy notice setting out certain information. The General Data Protection Regulation will require much more detailed information for employees and job applicants if they are to achieve GDPR compliance.
• How long data is stored for
• If the data will be transferred to other countries
• Information to enable a subject access request
• Information to have personal data deleted or rectified in specific circumstances.
Many companies currently process personal data based on employee consent. This approach has often been scrutinized and will demand more stringent requirements when the General Data Protection Regulation comes into place next year. This will make it more difficult for companies to rely on consent for processing. Instead, companies will be forced to look at other legal grounds to process personal data.
GDPR compliance will also be dependent on a new mandatory breach reporting requirement. This means if a data breach occurs, it will be up to the employer to notify and provide certain information to the data protection authority within 72 hours. If the breach is so severe that it poses a risk to the rights and freedoms of individuals, then they will also have to be notified.
As we discussed in a previous blog, accountability is the key to the General Data Protection Regulation. This is why all public authorities and those private companies involved in regular monitoring or large-scale processing of EU Citizen’s personal data will need to appoint a Data Protection Officer.
Their role in relation to the General Data Protection Regulation will be to make sure documented processes, data protection impact assessments and a data security methodology is in place ahead of the arrival of the regulation next year. Without Data Protection Officers in place employers are likely to fail to achieve GDPR compliance.
The General Data Protection Regulation means that privacy has become more wide ranging. In the past, different departments, such as HR or Legal, would have approached data privacy in an ad hoc and reactionary manner. However, as the volume of data across the organisation spectrum explodes, achieving GDPR compliance this way is simply not a feasible approach anymore.
Are you an employer and have thoughts on how GDPR is going to affect your business? Or, if you have any general comment on GDPR please feel free to leave a comment below.