22% of US companies are not prepared for GDPR
Payslip recently surveyed 250 US companies who are subscribers to the Global Payroll Management Institute, in relation to their EU GDPR knowledge and preparation.
37% of companies have begun documenting the personal data they hold, 15% have completed this very important step in the GDPR preparation, 26% are in the planning phase. However, 22% have not yet begun this fundamental step in GDPR preparation.
When asked what part of the GDPR regulation causes most concern, the answers were largely associated with managing employee personal data including topics such as:
- Data Discovery
- Data storage
- Data Transfer
- End of life data
With that in mind we have put together a GDPR Summary covering the key areas of the regulation.
The EU General Data Protection Regulation significantly increases the obligations and responsibilities for organizations and businesses in how they collect, use and protect personal data of EU citizens.
GDPR comes into force May 25th 2018
EU GDPR emphasizes:
Transparency Security Accountability
What is Personal Data?
Personal Data means any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. ”
What is a Data Controller?
A person who (either alone or jointly or in common with other persons) determines the purposes and the manner in which any personal data is or is to be processed.
What is a Data Processor?
In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
With the introduction of GDPR, European data protection law will become applicable outside the borders of the EU.
Organizations outside of the EU who process personal data belonging to EU citizens will fall under the rulings of the legislation.
Under GDPR non-EU data controllers and processors must comply with the European Data Protection obligations when dealing with personal date belonging to an EU citizen.
Fines & Enforcement
Fines for non-compliance are:
In addition to the fines, data subjects will have the right to sue for material and non-material damages as a result of a data privacy breach.
Security Breach Reporting
Breaches must be notified to the relevant supervisory authority within 72 hours.
Privacy by Design
Privacy by design must be included in internal processes if you collect, retain and share personal information of EU citizens.
Data Protection Impact Assessments (DPIAs)
DPIAs will be mandatory in all projects where “high risk” data processing occurs including large scale processing of sensitive data.
Elevated Threshold for Consent
Consent under the regulation must be specific, informed and freely given. It must also be explicit requiring a statement to be obtained from the individual.
Records of Processing Activities
The right to be forgotten – An individual has the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Right to restriction of processing– When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future
Right to data portability – Individuals have the right to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way.
Data Protection Officer (DPO)
DPO’s are responsible for overseeing data protection strategy and implementation to ensure compliance with General Data Protection Regulation.
Data Processors & Vendor Management
The GDPR imposes increased obligations on processors and makes them liable for breaches when acting outside the instructions of controllers. Contacts need to be reviewed and updated to include specific terms under The GDPR.
Data Sharing Exposure
Every company worldwide must prepare adequately for GDPR, we have listed the top priorities Payroll Professionals should consider when preparing for the legislation.
Let us show you how Payslip’s unique software can help you prepare for GDPR, sign up for a demo today!