Are you ready for May 25, 2018? This is when the General Data Protection Regulation (GDPR) — a comprehensive European data protection law that provides enhanced rights for individuals to control their data — will enter into force.
If you have European operations, European candidates applying for jobs, and/or European employees, the GDPR will apply. Your organization will also be impacted by the GDPR if you offer goods and services to, or monitor the behavior of, people in Europe.
As a comprehensive law that is designed to give Europeans more control over their personal data, the GDPR contains significant requirements. It also contains some nuances that may surprise you. For example, did you know that you are not always required to obtain consent to collect employee data under the GDPR? Or that some business-related information may qualify as personal data?
Here are seven important facts about the new law that may surprise you:
1. Even if your organization is not located in the European Union, you may be affected.
The new law applies to any organization, regardless of location, that offers goods and services to individuals in Europe or monitors the behavior of individuals in Europe. For example, if you work for a multinational corporation headquartered in the US that employs individuals in an EU country, your organization will be affected.
2. The maximum fines for not complying with the GDPR can be very significant.
Supervisory authorities can impose two levels of fines for not complying with the GDPR. The first level can equal up to 2% of global revenues or 10 million Euros for the preceding year, whichever is greater (for violations relating to internal record keeping, data processor contracts, data breach notification, data protection officers, and data protection by design). The second level can equal up to 4% of global revenues or 20 million Euros for the preceding year, whichever is greater (for violations relating to the basic principles of data processing, data subject rights, and transfers of data to third countries).
3. There is no grace period
The GDPR replaces the EU member state laws that implemented the EU Data Protection Directive 95/46/ EC. Unlike the Directive, the GDPR becomes law without further legislative action from the EU member states. Although there is no grace period, organizations had two years to prepare, as the GDPR was formally adopted in April 2016.
4. Personal data includes a work email address
The GDPR refers to information about individuals as “personal data.” In the context of employees, “personal data” refers to elements that can be used to identify, or are related to a living employee, such as their name, date of birth, government identification number, gender, employee ID, marital status, and home address.
Personal data under the GDPR can include business-related information such as an individual’s work email address, tenure, salary information, and performance evaluation. There are also additional considerations when processing “special categories of personal data” such as race or ethnicity, religious or philosophical beliefs, health, and sexual orientation. Organizations need to ensure the individual has provided explicit consent (unless there is an alternative basis) to process such data.
5. There is a difference between a data processor and a data controller
Although the two terms may sound alike, they have very different meanings. For example, Visier provides a people analytics solution and acts as a data processor when processing an organization’s data. We follow an organization’s processing instructions for employee data that has been collected and transmitted to our service.
When your organization collects employee data, oversees the management of employee data, and determines how this data may be processed (typically activities done via HR management systems), it is acting as a data controller. Data controllers are responsible for a significant number of activities under the GDPR, including appointing a data protection officer (in some cases), maintaining records of the processing activities, and carrying out data protection impact assessments.
6. You do not always need to obtain consent to collect employee data
For the processing of personal data to be lawful, the controller requires either the consent of the data subject (which must be freely given, specific, informed, and unambiguous) or another lawful basis.
Beyond consent, the other lawful bases for processing personal data include:
- Performing a contract with the individual
- Complying with a legal obligation under EU law
- Protecting a vital interest of an individual
- Performing tasks carried out in the public interest, and
- Processing where it is necessary for pursuing the legitimate interests of the organization.
Under the GDPR, organizations are most likely processing employee data on the basis that it is necessary for the performance of a contract, complying with EU employment laws, or to pursue the legitimate interests of an organization — provided this interest is not overridden by the interests or the rights and freedoms of the employee.
7. The right to be forgotten is not an absolute right
A data subject’s “right to erasure” or “right to be forgotten” has been recognized as a concept in the European Union since 2006.
The GDPR codifies the “right to be forgotten” by giving an individual the right to have all their personal data deleted by an organization under certain circumstances. However, the right to be forgotten is not an absolute right. The individual will need to establish an appropriate basis under Article 17 of the GDPR before an organization is required to erase data. In some cases, such as when an organization needs to exercise or defend a legal claim, the organization can refuse to comply with the erasure request.
Customer data privacy and security is Visier’s top priority, and compliance with GDPR — an important law that promotes the fair handling of personal data — aligns with this commitment. We take steps to ensure that customer data is protected with the appropriate technical and organizational measures in place, including maintaining the confidentiality of the data by restricting access to only authorised personnel. These measures are further described in our Security Overview page. Our privacy commitment is also set out on our Privacy Overview page. To learn more about the GDPR, download the Visier overview here.
This document is intended for general informational purposes only and is not to be construed as legal or professional advice. It is intended to highlight some elements of the GDPR and does not address every aspect of the law. Visier makes no representations as to the accuracy, completeness, or validity of this information. Readers are advised to seek their own legal and other professional advice for their specific circumstances.