The European Union’s General Data Protection Regulation will go into effect May 25, and HR leaders need to be ready.
GDPR is a massive regulation that requires businesses to protect the personal data of any European Union citizen they do business with, including employees, suppliers and customers. It promises to have a sweeping impact on any organization that operates in the EU, forcing them to assess every point in the business where they capture, store, share, manage or delete personal information.
The regulation includes 99 separate articles, each of which has multiple requirements, but it boils down to two main issues, said Neal Dittersdorf, general counsel and privacy officer for iCIMS, the social recruiting software company, based in Holmdel, New Jersey:
- People have the right to their own personal data, even if it is collected by an organization.
- Privacy needs to be embedded throughout every data handling process in an organization to ensure compliance.
“It represents a sea change in the way companies will manage data,” Dittersdorf said. And U.S.-based companies are not immune. According to a report from Ovum, the financial technology company, two-thirds of global businesses expect the regulation to force changes in their European business strategy.
While the regulation was approved in April 2016, companies are still scrambling to achieve compliance by the May 25 deadline, said Christine Lyon, partner at Morrison and Foerster, a law firm in Palo Alto, California.
“HR plays an important role in this process,” she said. Many people believe GDPR is an IT and security issue, though HR is one of the key data capture centers, and many of the requirements in the regulation affect how the company captures and disseminates data about its EU employees and recruits.
HR’s Role in GDPR
Most GDPR compliance projects are run by the legal or data security team, but HR leaders should be collaborating with them to make sure their employee data management steps are brought into compliance.
“There are a lot of opportunities for HR to take leadership roles in responding to GDPR,” Lyon said. “HR understands the importance of data privacy and regulatory compliance, and they know how employee data is managed.”
The main job for HR on these projects is to make sure EU employees and recruits are given notice describing what personal data the company is collecting, how it is being used and how it will be shared and kept.
Dittersdorf noted that many companies already provide data notifications to these workers, however HR needs to be certain the language and timing of these notifications is updated to reflect GDPR requirements.
“The question HR teams need to grapple with is do they have the right framework in place to secure consent for what they do with the data?” he said. For example, GDPR requires that employees and recruits opt in to have their data captured and stored — versus having to opt out if they don’t want it used.
Employees also have the right to view their personal data, and to delete any data or correct it if there are errors. “Companies need to figure out what access they are going to give employees and how that will work,” he said, noting that some data needs to be preserved for regulatory purposes, which could create conflicts.
As part of these compliance projects, companies will need to be able to demonstrate how data is tracked and managed, and how employees are notified about data use. That means they have to maintain records of all data processing activities that can be produced on demand, Lyon noted.
One area that HR leaders are still uncertain about is the impact of the regulation on the use of automated decision-making tools. For example, automated résumé screeners that eliminate candidates without any human intervention, or tools that track employee performance for promotion decisions could be a compliance issue, Lyon said. “Companies need to be mindful of about GDPR restrictions when using these tools.”
A $24 Million Problem
Meeting all of the criteria for GDPR has been challenging, and most companies predict that they won’t be fully compliant, despite having had two years to get ready.
That creates a big risk, Lyon said. Companies could face fines of as much as 20 million euros ($24 million) or 4 percent of their global annual turnover if they fail to meet the compliance deadline. The Ovum report shows 59 percent of U.S. companies expect to face fines for noncompliance. “This is why companies are taking GDPR so seriously,” she said.
For those companies not yet compliant, or those that haven’t yet begun, Lyon urged them to start quickly, to focus on those areas of greatest privacy risk and to document their progress.
“Regulators are likely to be more lenient if you can demonstrate a good faith effort to comply,” she said. “But it’s time to get your house in order.”
Sarah Fister Gale is a writer in Chicago. To comment, email firstname.lastname@example.org.