GDPR Compliance: Tips and Myths
NOTE: This article should not be seen as a legal resource, but merely a way to provide some direction regarding the General Data Protection Order. For legal advice, please see your company’s legal team.
If a company is global, the likelihood is high that it has and will continue to come in contact with the European Union’s General Data Protection Regulation, or GDPR. Companies headquartered in the EU spent a considerable about of time preparing for the new regulation before it went into effect in May of 2018. Many are still working to meet compliance today.
But the regulation, while specifically applying to companies in the EU, also impacts companies outside the EU. If a company in the United States, for instance, employs workers in an EU country they are required to follow the GDPR. That means the company’s HR department is going to have to be GDPR compliant. Failing to do so will result in fines.
So, how do companies outside of the EU work to become GDPR compliant?
The General Data Protection Regulation
What is the GDPR?
The GDPR was agreed upon by the European Parliament and Council in April 2016. It went into effect in May of 2018. When that happened, the GDPR became the primary law regulating how companies protect European Union citizens’ personal data.
Each member of the European Union, as previously stated, must comply with the regulations. Those that don’t face penalties and fines.
Some of the key requirements of the GDPR include:
- Requiring the consent of subjects for data processing
- Anonymizing collected data to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance
Want to learn more about the GDPR? Click here.
GDPR Compliance for HR
Because the GDPR puts in place new regulations on employee data, human resources needs to fully understand the regulation and what it will take to move into compliance.
- Data security – Companies with HR departments outside the EU need to make sure security compliance is maintained. This includes making sure the right people have access to employee data. Not only does it include the right internal employees, but it also includes vendors contracted by the company. They also need to follow the GDPR.
- Employee privacy – The GDPR puts in place new rights for employees. Those need to be observed. Additionally, these must be formalized by the company to ensure transparency. That means a review of current polices needs to be conducted if it hasn’t already been completed. Also, HR will need to make sure communication of these new rights and policies meets guidelines under the regulation.
- Current processes – Similarly, current processes need to be reviewed. In many cases, those will need to be amended to comply with the GDPR. Companies can no longer simply ask for employees to release their data. HR must present a valid reason for requesting it.
- Data retention – The GDPR also puts in place new rules regarding data retention. Companies not only have to get permission from employees to use their data, but they can only hold on to it for specific amounts of time. It then has to be deleted.
Source: People Doc by Ultimate Software
With a law as large as the GDPR, there are a lot of misconceptions about it. Authors at tripwire lay out several myths. Several are paraphrased below. To read more myths, click here.
After the UK leaves the EU, the GDPR will no longer apply.
That’s indirectly untrue. While the GDPR will no longer apply, the Data Protection Act 2018 will and it is a carbon copy of the GDPR. So while the GDPR will no longer apply, the DPA 2018 means employers will have to follow the exact same rules.
Once GDPR compliant, always GDPR compliant.
That is not true. The GDPR is structured in such a way that compliance is an “ongoing process rather than something you achieve forever.”
A Data Protection Order, or DPO, is required by companies.
Also not true. A DPO is not mandatory for everyone. It is only needed “if you are a public body that processes data, your core activities involve regular monitoring of data subjects or you process sensitive data on a large scale.”
At the end of the day, companies are much like communities. They no longer operate in one single country. Many have grown to exist on a global scale. That means they have to, at least in some way, conform to the laws of the country just as they would adjust with the culture of their workers. Embracing the GDPR, while admittedly difficult, is necessary and ultimately a positive step forward in the protection of all data.
Want more content faster? Connect with us on Twitter, Facebook and LinkedIn. And don't forget to join our LinkedIn group!
Photo courtesy: Pexels