Effective May 25, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) went into place with the goal of protecting the personal data of all individuals in the EU and the European Economic Area. The regulation has been called the most comprehensive data privacy regulation in decades, and it is. In fact, so comprehensive that companies in Europe and around the world are concerned with the implications and
scrambling to ensure their compliance.
At its most basic, the GDPR is all about giving power to the people when it comes to determining how their data can be used by others. Employers—including departments like HR—will need to know how the GDPR impacts their operations and what steps they need to take to ensure they are compliant.
While it would be extremely difficult to cover everything companies need to know about the GDPR in a post of this length, below we cover five things you should know about GDPR.
The law has a global reach.
This first point is a critical one: While the GDPR is a piece of European legislation, it applies to the personal data of Europeans, regardless of where that data is held. In other words, it applies to companies located anywhere in the world—not just in Europe—that maintain such data.
This may be surprising to some American companies that would not expect a regulation in the EU to impact their business. But if those companies are storing or processing data on EU citizens, those rules apply.
Recruiting employees for specialized or senior level jobs from outside the United States? Capturing information from those potential employees—e.g. resumes or responses to online applications? The GDPR impacts you.
There is a wide range of data covered under the regulation.
According to Article 4(1) of the GDPR, “personal data” is defined as follows (all emphasis added unless otherwise stated):
“… any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that
The EU website goes on to acknowledge the wide net this definition casts and says it includes both “any information relating to an identified individual” as well as “any information relating to someone who could be identified based on a variety of identifiers.” This could include fairly obvious information, such as driver’s license number, home address, telephone number, credit card number, etc. But, it may also include things like a website visitor’s IP address or cookie files.
These are the types of information many advertisers use to develop profiles of consumers to help target advertisements at specific individuals or categories of individuals.
There are lawful reasons for collecting personal data.
While the GDPR generally restricts the collecting and storage of personal data, there are various lawful reasons companies may collect and retain this data. For example, companies are allowed to retain certain customer information if necessary to comply with other legal obligations. Similarly, in the event the data is necessary to protect a vital interest of a data subject, the collection can be considered lawful.
And, when recruiting staff, it’s logical to assume that companies would want to be able to capture information about candidates’ educational backgrounds, former jobs, etc. It’s also logical to assume that certain information needs to be collected and retained about employees. However logical, though, there’s an important step that must be taken.
Perhaps the most significant means for lawful retention is consent from the data subject. The GDPR sets specific requirements for determining the validity of such consent and also allows for consent to be withdrawn. What does this mean for HR? Advice from legal counsel is a must but, one important step would be to require employees to sign a data privacy statement that transparently reveals what data is being collected, why and how it will be used.
More countries are following the EU’s lead.
Increased concern over data privacy is not a uniquely European phenomenon. In an article for Forbes, Dzenis Softic writes that, “Australia and China are following with similar laws, and it’s only a matter of time before more countries jump on the bandwagon.” The EU is a major economic power, accounting for 15 percent of global exports and around $15 trillion in GDP. China has a similarly large global footprint. When major global players implement new regulatory measures, many companies
choose to ensure compliance across the board for simplicity, even if compliance isn’t required everywhere they do business.
There are big penalties for non-compliance.
Non-compliance with the GDPR can carry significant financial penalties. “Infringements can cost organizations up to four percent of their annual global turnover or €20 million, whichever is greater,” says Olivier Schott, CMO and Co-founder of digital platform Scalefast. Perhaps more worrisome, Schott also notes that GDPR may open the door to the possibility of class action lawsuits.
One Bonus “Must Know”
In addition to the points above related to the type of data that is protected and the importance of transparency, companies are also on the hook for ensuring that the data they collect is protected—not an easy thing to do in these days of heightened concerns over data security breaches. This clearly requires close relationships and deepened understanding between HR and IT professionals.
May 25 is upon us. Unfortunately, many companies still feel they’re woefully behind the curve when it comes to being ready for compliance—especially companies in the United States that may have believed the new regulations don’t apply to them. The trend globally is likely to be more of the same types of privacy and data collection and processing regulations in other large economies. This means American companies engaged in any level of international business that involves collecting personally identifying information need to make sure they are aware of these new rules and best practices for compliance—now and for the foreseeable future.