In this era, data protection has become a main concern for European legislators—and no less for the public—as the volume of information generated and exchanged has only been growing. As part of this, legislators must also pay attention to how data is managed, resulting in the European Union's holistic approach with their General Data Protection Regulation (GDPR). This regulation will affect how data is managed and some companies may need to invest in updated processes in order to be compliant. To ensure the consistency of the GDPR's application across the EU, legislators have set up large fines for when the regulation is not respected.
One of the European Union's core values has been the freedom of movement within its territory, by which security is ensured through a collective approach. The GDPR certainly reflects this aim.
The GDPR will be applicable on 25 May 2018, repealing Directive EU 95/46/EC of October 1995.
A new layer of data protection
The below infographic provides some context for the elements leading to the GDPR and its aim of increasing data protection, from the regulator's perspective:
GDPR: four main changes you need to know
- Data processors (the company, the subcontractor, or other) will have a new set of responsibilities which will include adhering to the privacy by design and privacy by default principles.
- Employers must report any personal data breach without undue delay to the supervisory authority and, under certain conditions, to the data subject as well.
- A Data Protection Officer (DPO) must, in certain cases defined by GDPR, be nominated within the company to coordinate all personal-data-related activities such as data breach reporting.
- Non-compliance with the GDPR might result in significant fines (up to €20 million or 4% of global annual turnover).
The GDPR's impact on HR departments
Overall, the GDPR represents an increase in employee rights.
Human resources departments will have an important role to play in the GDPR context. Currently, every day, HR departments collect, update, and process personal data from their employees. As a consequence, they will fall within the GDPR scope.
The following four topics will have to be taken into account by HR departments:
- Lawfulness of processing: employees will have to be informed that their personal data will be used by HR. This requirement can be met when the processing is necessary for the performance of a contract (e.g. the use of banking reference for payment of salary in the scope of an employment contract). This will also be the case for compliance with a legal obligation to which the controller is subject. In other cases, the employees will have to give their explicit and unambiguous consent, which could be withdrawn at any time.
- Erasure of employee data: employees will have the right to ask for their personal data to be deleted as soon as possible by the employer.
- Portability of employee data: employees will have the right to transfer their personal data from one processing electronic system to another processing system.
- Automatic decision-making process: the GDPR requires that the employee be informed if an "automatic decision-making process" is carried out regarding him/her, and that he/she have the right to challenge it, in cases where this process may result in a decision or have a legal effect (e.g. an analysis of the employee's performance at work, a rejection of a candidate's job application, etc.)
To-do list for HR departments
The GDPR is less than one year away. To help you prepare, we have built a to-do list:
Remember too that the GDPR, although a regulation, is no less an opportunity for HR departments. It is a chance to prove that HR is a trusted partner within and outside of the company by being in control of employees' personal data. This is not at all insignificant.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.