GDPR legislation is the most significant change in data protection legislation introduced in the last 20 years. Compared to the European Union Data Protection Directive, the General Data Protection Regulation (GDPR) is a ‘game changer’ in terms of an organisations compliance requirements.
Listening to our clients, the key practical questions are addressed in our friendly cheatsheet and checklist.
WHAT IS GDPR?
The General Data Protection Regulation (GDPR) comes into force throughout Europe on May 25th, 2018. The regulation, which was 4 years in the making, was adopted by the EU on 14th April 2016, giving companies 2 years to implement the legislation into their organisations before enforcement.
The GDPR is set to replace the European Union’s Data Protection Directive which, since the late ’90’s, covered the control of citizens’ personal data. This directive was implemented prior to technological advancements in internet & cloud technology and the growing exploitation of individuals’ data through this technology.
The GDPR is a regulation, not a directive. This means that the regulation is applied in a uniform manner in the national legislation across all EU 27 Member states and that in this way, it applies to all organisations conducting business with individuals within the EU.
Failure to comply with any requirements will result in a significant financial loss, disruption or reputational damage to an organisation.
WHO DOES THE GENERAL DATA PROTECTION REGULATION IMPACT?
The GDPR impacts organisations conducting business within the European Union or non-European organisations who handle EU citizens’ personal data.
WHAT IS PERSONAL DATA?
The definition of Personal Data within the GDPR is “Personal Data” means any information relating to an identified or identifiable natural person (data subject).
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.”
KEY CHANGES WITH GDPR:
General Data Protection Regulation (GDPR) legislation is extended to any organisation outside of the European Union (EU) which processes personal data belonging to EU citizens.
Under GDPR non-EU data controllers and processors must comply with the European Data Protection obligations when dealing with personal data belonging to an EU citizen. For Global Payroll, this has key implications for HR & Finance resources outside the EU who are involved in the Payroll Process for EU citizen employees, e.g. US HQ HR resources managing EU payrolls.
FINES & ENFORCEMENT
Fine for non-compliance to the new GDPR regulations are:
- €10 million or 2% of total worldwide annual turnover
- €20 million or 4% of total worldwide annual turnover
In addition to these fines, individuals will have the right to sue for material and non-material damages as a result of a data privacy breach.
SECURITY BREACH REPORTING
Currently, only telephone companies have a statutory obligation to notify the relevant supervisory body of a breach in data. On May 25th 2018 the obligation will become mandatory for all companies to notify the relevant supervisory body of the breach ‘no later than 72 hours, after having become aware of it’.
If a data breach occurs, organisations are now obliged to keep a detailed record of the breach and record any actions taken.
ELEVATED THRESHOLD FOR CONSENT
Consent under the GDPR must be specific, informed and freely given. It must also be specific, informed and unambiguous.
Any consent given by an EU citizen needs to be recorded by the organisation.
RECORD OF PROCESSING ACTIVITIES
- The right to be forgotten – An individual has the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
- Right to the restriction of processing– When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
- Right to data portability – Individuals have the right to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way.
APPOINTMENT OF A DATA PROTECTION OFFICERS (DPO)
A Data Protection Officer (DPO) is responsible for overseeing data protection strategy and implementation to ensure compliance with the General Data Protection Regulation.
Companies Worldwide must prepare adequately for GDPR. To help payroll professional prepare for GDPR enforcement, we have created a checklist of top priorities to complete prior to deadline on May 25th 2018.