Does HR data processing require registration under data protection laws?
Data protection laws sometimes include conformity assessments, which help to ensure businesses follow regulations. Requirements can include registration before the Data Protection Authority and random audits. With the General Data Protection Regulation (GDPR) applicable by May 25, 2018, the formalities inside the European Economic Area will be more uniform, but each Data Protection Authority remains and can create their own conformity assessments.
Starting May 2018:
The GDPR is oriented on “privacy by design” and “privacy by default.” Controllers (employers) and Processors (subcontractors) must implement all technical and organizational measures necessary to ensure the protection of personal data. In practical terms, the processing of personal data in every instance should be accompanied with the privacy concern in order to limit the amount of data processed from the outset (so-called "minimization" principle). Two key considerations are the reasons for collecting the data and the potential consequences (risks) of maintaining and processing this data.
The consequence of this accountability principle is the reduction of required employee notifications, once controllers and processors conclude that processing the personal data does not constitute a risk to privacy. Prior to the GDPR going into effect, processing personal data was subject to authorization from the competent data protection authority. Going forward, the new procedure will involve privacy impact assessments.
The GDPR has a few new compliance requirements to demonstrate accountability, such as:
- maintaining a register of treatments implemented
- the notification of security breaches (to the authorities and persons concerned)
- adherence to codes of conduct
- the DPO (Data Protection Officer)
- Privacy Impact Assessments (PIAs)
HR Best Practices: Denmark is working on a new Data Protection Act, which is currently in draft form. The final Act may include registration with the data protection authorities in specific circumstances. One area where employers may be required to register with the Data Protection Authority in advance of collecting data, is when processing data to warn others against a business or employment relationship.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.