In less than 12 months, the most significant change to data protection rules for 30 years will come into force. From 25 May 2018, the General Data Protection Regulation (GDPR) will replace the Data Protection Directive (DPD), which has been in place since 1995. The changes are long overdue, responding to advancements in technology, the huge growth in data collection and processing, and the increasing threat of cyber-attacks and data breaches.
The GDPR is designed to give individuals much greater control over their data, while extending the responsibilities of organisations to protect it. It also corrects a number of inconsistencies in the previous directive, ensuring the rules are the same for all countries in the EU, as well as for anyone holding data on people living within the area.
For HR professionals, it’s one more area of compliance to stay on top of, ensuring that employee and job applicant data is protected and processed in the right way. Research by IDC found that 33% of HR leaders are concerned about the GDPR – and they’re right to be. Under the new rules, the fine for non-compliance will increase to up to €20m, or 4% of annual turnover – whichever figure is higher.
What are the key changes to be aware of?
While much of the GDPR is similar to the Data Protection Directive, there are some notable changes, which will require significant preparation to ensure compliance. This is particularly true for larger businesses, which have greater volumes of data to think about, as well as legacy systems and processes to work around.
First and foremost, the GDPR is a ‘regulation’ rather than a ‘directive’, which means that every EU country must comply with it as written, rather than interpreting its guidance into their own legal framework. For international businesses, this is likely to be a good thing, unifying and streamlining what is required across their different territories.
Another of the most significant changes relates to consent, which must be explicitly ‘opt in’, rather than ‘opt out’. This will require all employees and job applicants to sign a privacy notice, giving consent for their data to be collected and stored. The notice should outline details on the reasons for collecting and holding the data, how long it will be stored for, whether it will be transferred to other countries, and details of employees’ rights.
Employees will have a number of new rights under the GDPR, including the right to access their data with ease, have it transferred to another company and erased upon request. Employers also have less time to comply with requests than under the DPD – only one month, rather than 40 days.
The regulations recommend that employers use ‘state of the art’ technology to keep data safe, while also taking into account the cost, risk and business context of implementing such technology. That means it is up to each company to decide what ‘state of the art’ means for them, depending on the level of data collection and processing that they carry out. The regulations also encourage encryption and pseudonymisation, so this is something to consider.
The rules have also been strengthened significantly when it comes to accountability, with businesses required to show a paper trail of compliance. This could include internal data protection guidelines, staff training, internal audits, and reviews of internal HR policies. The GDPR talks about ‘privacy by design’, whereby data protection is hardwired into the processes and behaviours of the organisation. Those carrying out large-scale tracking of individuals, or processing specialist data, also need to appoint a Data Protection Officer.
For international businesses, there are strict rules to abide by when transferring data abroad. You must be able to show that the data will continue to be protected to the standards of the GDPR, or that the individual concerned has given their permission for the data to be transferred.
Finally, in the case of a breach, employers must now inform their supervisory authority – the Information Commissioners Office (ICO) in the UK – within 72 hours of becoming aware of the issue. You must also inform the individuals affected, if the loss of the data could put them at any kind of risk.
How to prepare
Preparing for the GDPR calls for a cross-organisational approach, involving HR, legal and IT representatives. Start by auditing the data currently held by the organisation and how existing processes stack up to what is required under the new rules, including whether a Data Protection Officer will need to be recruited. Check your legal grounds for holding and processing data and update privacy notices to align with employees’ new rights. A breach response plan should also be developed, if you don’t already have one in place.
The complexity of compliance and the risk of getting it wrong, particularly in large multinational organisations, means working with an HR outsourcing partner represents an attractive solution, helping to mitigate the risk. In a survey by IDC, nearly three quarters (72%) of HR leaders named data privacy and compliance as a factor influencing their purchase of a human capital management solution.
When choosing an HRO provider, ensure they possess a strong action plan, data flow maps, data retention and transfer plans and robust security platforms. Certificates and codes of conduct to look out for include ISO27001, ISO27018 and ISO29100. Ideally, a provider should also possess Binding Corporate Rules, an official long-term and legally binding commitment to provide a high level of data protection, aligned with the GDPR principles.
The GDPR may seem like just another regulatory obstacle to navigate, but it also presents an opportunity for organisations to streamline how they collect and process employee data, while minimising the chances of a damaging data breach. HR professionals are advised to start preparing now, or risk being caught out in 12 months’ time.
By Annabel Jones, HR Director, ADP UK
GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/