2017-06-13 HRExaminer photo img mika javanainen contributing author 200px.jpg

Mika Javanainen is Vice President of Product Management at M-Files Corporation.

The European Union’s (EU) new General Data Protection Regulation (GDPR) will take effect on May 25, 2018. The new regulation, which aims to protect the personal data of EU citizens, will have wide ranging implications for businesses around the globe. But with less than one year until the regulation becomes a reality, many employers and their HR departments still know little (or nothing) about the impending changes, let alone how to address them.

Given the vast amounts of employee-related files, documents and personal data that HR departments frequently deal with on a daily basis, the significance of the GDPR cannot be underestimated. It is critical that HR teams learn everything they can about the stringent new requirements so they can avoid the hefty fines that could result from non-compliance.

Below are ten things HR teams needs to know about the GDPR and how the new rules could impact their organizations.

What is the GDPR?
The GDPR essentially replaces the EU’s Data Protection Directive, which was adopted in 1995. Unlike its predecessor, GDPR is a regulation, which means that it will be immediately applicable and enforceable by law in all member states on May 25, 2018. Directives must be typically adapted to local legislation in each member state.

The new regulation is intended to provide EU citizens with a number of benefits, including easier access to their personal information housed by any company that collects it, as well as details about how the company uses their data. It also gives citizens a right to data portability and the right to have their data deleted. What’s more, the GDPR gives all EU citizens the right to know when their data has been compromised through a provision that requires companies to alert authorities within 72 hours of any data breach involving personal data.

One major impact that HR is likely to feel very directly is the new consent and access rights included in the GDPR. Organizations must not only be able to prove they obtained permission to store and use data from an individual, but also provide electronic copies of private records on-demand to those who request details on where their data is stored, and for what purpose.

What kinds of data are we talking about?
According to the directive, any data that can be used to identify an individual, including but not limited to such things as genetic, mental, cultural, economic or social information, now falls under the umbrella of personally identifiable information (PII). Even cookies and IP addresses are part of the broadened scope of what needs to be protected.

Who does the GDPR apply to?
The GDPR legislation is complex and far-reaching. Unlike the Data Protection Directive that it replaces, the GDPR applies not only to all businesses that operate in the current 28 EU member countries, but also to all companies that process personal data of EU citizens or works with information relating to EU citizens when providing goods or services will have to comply. Even if a company has only one EU-based employee or job applicant, and it processes (i.e., collects, uses, transfers or electronically stores) personal data of this citizen – GDPR mandates will apply.

Why should HR care about GDPR?
Non-compliance with the GDPR can lead to some very serious financial repercussions. Regulators are empowered to impose fines of up to 20 million euros or four percent of a company’s global revenue, whichever is greater. That alone should be enough to put an action plan in place.

But the reality is that GDPR compliance will also mean ensuring that HR departments can reliably track and aggregate the large volume and variety of employee information they manage that is often highly confidential. Indeed, this could be a huge undertaking for many departments, especially when personal data is scattered across disparate systems, network folders, emails and devices. HR teams must be prepared to provide electronic copies of private records on-demand to those who request details on where their data is stored, and for what purpose. This makes finding the right tools to deal with the mandate a strategic imperative.

Does Brexit Mean Exit from GDPR Requirements?
After the Brexit vote, many businesses in Great Britain reportedly stopped preparing for GDPR, mistakenly thinking the regulation would no longer apply to them once they left the EU. The fact of the matter is, the UK is likely to still be in the EU for a significant amount of time after the GDPR comes into force. Businesses will need to comply with the GDPR by May 2018, and the UK is set to leave the EU by 2019 at the earliest. So even if UK firms were not expected to comply in light of Brexit (and the UK government and the Information Commissioner’s Offices have indicated otherwise) businesses would still have a full year of compliance before the country actually left the union. Regardless of all this, the expanded scope of the GDPR means any UK company dealing with the EU will still need to comply with the regulation anyway.

How do organizations benefit for the GDPR?
The GDPR is not wholly without benefits for the businesses that comply with it. Mainly, it promises to simplify the rules that companies are now operating under. Rather than trying to adhere to a patchwork of data privacy rules country by country, the GDPR will be a single law that applies to companies across the EU. The European Commission estimates that it will also save companies around 2.3 billion euros a year by doing away with “the current fragmentation and costly administrative burdens.”

What can employers do to prepare?
While the GDPR spells out in no uncertain terms the sorts of protections companies must provide for private data, the law makes no mention of which technologies or specific processes companies must employ to deliver those protections. The summary of articles on the GDPR website provides only general guidelines, leaving individual companies to devise their own plans for ensuring compliance with the GDPR. In other words, how organization go about complying with the law will be entirely up to them.

Is there a practical starting point?
Experts agree the effective use of technology is critical for organizations to monitor all sensitive EU citizen data they hold, and to apply and enforce policies to protect this information. The one category of solutions that many organizations are already leveraging in anticipation of the GDPR mandate are an enterprise information management (EIM) systems, which can not only identify, classify and manage personal data automatically, but can also enforce strict controls and security measures to ensure information doesn’t fall into the wrong hands. For example, HR staff members can automatically purge or encrypt certain information, such as personnel records or job applications, after a fixed amount of time to help reduce the risk of a potential breach.

Is it necessary to hire a Data Protection Officer?
According to the GDPR Article 37, the data controllers and processors must assign a Data Protection Officer (DPO) if one of the following conditions apply:

  • The processing of data is carried out by a public authority or body, except for courts acting in their judicial capacity
  • The core activities of the processor or controller require regular and systematic monitoring of data subjects on a large scale
  • The core activities of the controller or the processor consist of processing on a large scale of special categories of data (such as data revealing racial or ethnic origin, religious beliefs, genetic data, health data, etc.) or personal data relating to criminal convictions and offences, for example.

However, local member state legislation may require designation of a DPO in other situations as well. Organizations should therefore consider voluntary designation of DPO in some cases. Filling the role of DPO isn’t merely a “check box” exercise. This individual must have expert knowledge of data protection law and practices, and will be responsible for ensuring the company is in compliance with the GDPR. An existing employee can serve as the DPO provided they have the required expertise and the role does not conflict with any other role they hold in the organization.

The bottom line?
Whether viewed as a welcome remedy for the tangled web of country by country laws on personal data or just another onerous regulation that must be followed, the GDPR will soon be the law of the land in the EU – and, as it turns out, far beyond. The new regulation is coming into effect soon, and for those in HR who collect and process large volumes of personal data, the impact will be significant. HR managers will need to very carefully assess their current processes and procedures to ensure they’re in compliance or face the potential of hefty fines. Those who take a proactive approach and put plans into place now will inevitably find themselves better equipped come next May. After all, at its core the GDPR is all about managing content …in this case personal information about individuals.

Mika Javanainen is Vice President of Product Management at M-Files Corporation. Javanainen is in charge of managing and developing M-Files product portfolio, roadmaps and pricing globally. Prior to his executive roles, Javanainen worked as a systems specialist, where he integrated document management systems with ERP and CRM applications. A published author, Javanainen has an executive MBA in International Business and Marketing. Follow Mika on Twitter at @mikajava.

Read previous post:
HRIntelligencer 1.03

John Sumser has the Big Picture on AI assistants, HR's view on cybersecurity hiring woes, Execution of predictive modeling for...