As many risk management departments of companies with European Union (EU) customers and employees are keenly aware, the General Data Protection Regulations (GDPR) will be enforced starting on May 25th, 2018. The aim of GDPR is to protect EU citizens when their personal data information is processed. The EU wants to ensure that the personal data of its citizens is kept safe, secure, and is not misused while being processed. Organizations that are found to have breached GDPR can be fined up to 4% of their annual global revenue or €20 Million, whichever is greater – so it’s worth taking these new regulations seriously.
While it’s probably clear that GDPR applies to customer data collected by companies, it’s important to remember that it also applies to employee data, including contractors and even candidates. If your company employs – or is considering employing – EU citizens, it’s time to get educated and prepared for May 25th.
Before we get started, here are some key terms to become familiar with in understanding GDPR.
Personal data – Any information related to a natural person, or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. The personal data you collect on employees must have a clear business purpose and be relevant to the management or role of the employee.
Consent – This is a rule that requires that you be able to prove you were given valid consent by your employees to process their personal data in specific ways. It must also be easy for them to withdraw their consent. Their consent must be “specific, informed and unambiguous” and your request for their consent must be written in such a way that there is no uncertainty around what they are consenting to.
Privacy by Design – The idea that it’s always better to build data protection requirements into the design of your systems and processes from the start rather than have to constantly address data protection compliance as an auxilliary business function. This is not only the best practice, but under GDPR will be an express legal requirement.
Privacy by Default – This means that you must take organizational and technical measures to ensure that your default approach is to process only the personal data necessary for the specific business purpose you want to accomplish.
Data Controller – A controller is the entity that determines the purposes, conditions, and means of the processing of personal data – often the Employer.
Data Processor – The Data Processor is an entity which processes personal data on behalf of the Data Controller-often the HR Department, but it could also be an outside contracted service provider.
Data Protection Officer (DPO) – The person who oversees data protection compliance within your organization or business. It is recommended to hire one to ensure compliance, and in some cases, it will be required that you do so. One option is to hire a fractional DPO if a full-time DPO isn’t an option or necessary.
Data Protection Authorities (DPA) – Often appointed by each member state in the EU, these entities are responsible for enforcing data protection law, which can include being able to issue substantial fines.
Data Protection Impact Assessment (DPIA) – A DPIA is a privacy-related impact assessment. Its objective is to identify and analyze the level of risk connected to different datasets that could be vulnerable to cyber attacks. This assessment would also analyze any data that is automatically collected by your business, as you would be responsible for GDPR compliance with those datasets, as well. In essence, identifying the most vulnerable and high priority data sets, as well as data that are collected automatically, will provide your business with a good idea of where to start when building systems that are “Privacy by Design”. It is also important that you conduct these audits on a regular basis to ensure that your processes remain qualified and GDPR compliant. In certain circumstances, such as when data processing poses a high risk to employees, a DPIA will be mandatory.
Accountability Principle – Once you have determined that your business’s datasets and processes are GDPR-compliant, the next step is to establish accountability and transparency by documenting how they are compliant. This includes transparency in terms of datasets – showing who can access the data, where data is stored, and how data is processed – and showing how they meet privacy requirements and allow users to exercise their rights.
Key Considerations to Achieving GDPR Compliance For HR
‘As multi-national companies evolve their Privacy Programs to include the newest EU regulations of the GDPR, it will be important that they take a holistic view to their corporate data assets. Not only does GDPR apply to the enterprises’ customer data, but the EU employee data and the data it receives and shares from its EU partners fall subject as well. Governance and Risk Management departments will need to be thorough in their review and include all data sets in their enterprises that hold any EU citizen data, regardless of how it is acquired.’
Carlin Dornbusch, President, American Cyber Security Management
To start, here are some important things for you to remember. For the purposes of this article, you can assume that we are referring to EU employees, but it’s also important to note that many countries outside of the EU are also developing stricter data privacy policies and using GDPR as a model. If you are compliant with EU regulations, you are much more likely to comply with regulations around the world as they develop.
- You must share your updated privacy policy with all your employees, being fully transparent in what data you are storing, how you will use it for only business purposes, and with whom you will share it.
- There must be a specific business purpose for using their personal data that is defensible and you can keep the data only for as long as you need it to fulfill that purpose. You must also inform employees about the lawful basis for processing their data, and inform them that they have the right to file a grievance if they think that you are mishandling their data. You can use their data only for the intended purposes for which you have received their consent.
Make sure your privacy policy is up-to-date and has been shared with each employee. It must be written in easy to understand, clear, and concise language – not legalese. When you update the policy, you must share the updated version with your employees and gain their acknowledgment that they have received it, understand it, and accept it. You may have to go back and share your policy with all of your current employees and obtain their opt-in for your records. You will also want a way to track that you have received their acknowledgment, for which version(s), and on what date.3.
- You are required to obtain consent from your employees for storing, using, and sharing their personal data.
- Because of the power imbalance between employees and employers, consent is no longer an ‘option’ for HR departments but rather must be ‘freely given, specific, informed and unambiguous’. Consent also must be obtained via ‘Positive Opt-In’ rather than being simply achieved through, for example, pre-selected boxes.
To accomplish this, provide an easy way for your employees to signify their acceptance and be sure to keep a record of their acceptance, including which updated version they signed and when. Remember that they can withdraw their consent at any time and you will need to provide simple ways for them to do so.
Make it easy for your employees to ask for more information before they sign the opt-in.
One of the requirements of GDPR is to allow your employees to submit a Subject Access Request, or SAR. In most cases, you will be required to provide a SAR free of charge and you will have to provide this information within a month of its being requested. A valid SAR will need to include the requested information, as well as information detailing your lawful basis for processing that information. You will be able to refuse or charge for requests that are evidently unfounded or excessive but if you do this you must tell the employee why within one month. You must also tell them that they have the right to complain to the supervisory authority and to a judicial remedy.
To prepare for a potential increase in SAR’s, consider both the logistical implications of handling more requests as well as the feasibility of creating systems that allow employees to easily access their data online. And the more clear you are in what data you are collecting and how you will use it, the more likely you are to address employee concerns up front.
Give your employees an easy way for them to review what personal data you currently hold on them at any time.
Your privacy policy will inform your employees how data is used, with whom it could be shared, and for what purposes, but you also will want to show them what data you have collected on them so they can review it, update it, and request its removal. Don’t make it hard for them to do so. It will be easier on your organization and also on the employee.
Control who in your company (such as HR or Risk Management) has access to employee data.
And not only who in your organization has access, but specifically what they have access to and what they can do with that information. Can they view it, edit it, share it, and/or download it? Companies are required to collect and use only the minimum amount of personal information they need to manage their employees, can share it only with those who need it, and must remove it as soon as it is no longer needed. Information on candidates who are not hired must be deleted, and as soon as an employee leaves your company, you are required to delete personal information, as well.
Make sure all personal data is secure at all times.
This means that it is stored in a secure place (such as highly-secure cloud servers in the EU), data is securely shared (with end-to-end encryption), can be deleted (or ‘forgotten’), and is absolutely not stored in spreadsheets and shared by email. Since many data breaches happen through third-party applications (think of the Target breach, for instance), require that any data shared between applications is secure at all times.
Either make sure you have systems in place already to handle GDPR security requirements or find partners such as Globig who are already built to be compliant and can help you manage your EU employee personal data securely.
Respond to requests.
You must respond to requests to correct or erase employee data.
If any employee asks you to correct or erase their data, you must not only do it in your own systems, but you must also communicate any changes to the external organizations you’ve shared the information with. (And remember, you cannot share their personal information with external organizations until you have obtained your employee’s consent). Therefore, it’s very important to know without error with whom you’ve shared information on any given employee.
And as noted earlier, in the event that a potential employment candidate is not hired or if someone leaves the company, you must delete the personal data you have obtained.
You are required to report data breaches to your companies DPA and/or employees.
- You will be required to notify the DPAs and in some cases, employees, about certain kinds of data breaches that your business or organization may sustain. For example, if the nature of a data breach endangers the rights and freedoms of employees you will be required to report to both your companies DPA and most likely the employees involved. Therefore, as part of your “Privacy by Design”, your business or organization will need to be able to detect, report, and investigate personal data breaches.
To prepare for this, as part of your DPIA, investigate which datasets, if compromised, would require you to make such a report to the DPAs and/or affected employees involved. Then fortify those datasets with higher level security systems and prepare processes that would enable your business or organization to quickly and professionally make such a report.
Third party processors used by your organization must also be GDPR-compliant.
If you are using third party processors such as global service providers and their contractors (remember, someone in your organization is the Controller and the Processor processes personal data on behalf of the controller), they must also be GDPR-compliant if you are entrusting them with your employee’s personal data.
And it actually goes farther down the chain. If you work with service providers such as large relocation firms that then work with smaller vendors around the world, you are fully responsible for making sure they are all GDPR compliant. You cannot push the responsibility onto your direct service providers.
As stated earlier, if you have shared incorrect or outdated information with a third party processor about an employee(s), in order for your company to remain GDPR-compliant, you will not only need to update your data but you will also need to notify them so that they can update their records.
Tips for managing for GDPR
Some companies are creating custom technology solutions to manage their data privacy processes. Another affordable and highly effective option is to work with platforms such as Globig. At Globig, we understand how hard it can be to expand internationally, including managing employees around the world. Globig has a GDPR-compliance and global business management SaaS platform that makes it easy to manage your international employees and service providers in the EU and around the world. We keep you GDPR- and data privacy-compliant with your employees’ personal data.
Globig is a high-security platform hosted in the EU for managing data access through roles and permissions, providing transparency to your business teams and risk management, maintaining control over what data is being looked at, shared, downloaded, and utilized for business purposes, throughout your global services and supply chain.
Want to learn more? We’re ready to help.