EU GENERAL DATA PROTECTION REGULATION: HOW DOES THAT IMPACT GLOBAL EMPLOYERS?
WHAT IS THE EU GENERAL DATA PROTECTION REGULATION (“GDPR”)?
The GDPR is a recent regulation published by the European Union as Regulation 2016/679 on 27 April 2016, designed to enhance data protection for EU residents and replacing the 1995 EU Directive (95/46/EC) as well as fragmented data privacy national laws from EU Member States.
There was a 2-year transition period and the deadline for compliance is May 25, 2018. From that date on, the new GDPR requirements and procedures will be directly applicable in all EU 28 Member States and in Iceland, Liechtenstein and Norway, which are part of the European Economic Area (“EEA”).
The GDPR includes a wide range of data privacy and security requirements which will impact all employers with EU-based workforces. Relevant requirements for employers include in particular:
WHO DOES IT APPLY TO?
The GDPR protects the personal data of EU residents, which includes anyone physically residing in the EU, even if they are not EU citizens. The GDPR is applicable to all employers with employees located in the EU. The GDPR now extends obligations and potential liability to not just data controllers (i.e. employers) but also data processors (i.e. any third party vendors retained by the employer).
SO… WHAT’S NEW?
Following are some of the major changes that will impact employers and HR departments:
WHY COMPLYING?
The GDPR comes with significant penalties for non-compliance - fines up to 20,000,000 EUR or 4% of total worldwide annual turnover of the preceding year (whichever is higher). Multinational group revenues are at risk when fines are calculated, even if only a few group subsidiaries are caught by GDPR or were responsible for the infringement of its requirements.
Employees (data subjects) will be able to take legal action against --and claim damages from-- both employers (controllers) and their vendors (processors). These changes will take significant efforts and resources to develop and implement, therefore organizations should start the compliance process as soon as possible.
HOW TO COMPLY: 5 QUESTIONS TO GET STARTED
To prepare for the new GDPR, an important first step will be to assess personal data risks and identify compliance gaps by responding to the following questions:
ACTIONS TO BE IMPLEMENTED
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.