We’ve rounded the corner into 2018 and are now fast approaching implementation of the most robust set of data protection laws in Europe in more than two decades. The General Data Protection Regulation, or GDPR, is the result of four years’ work on behalf of the European Union (EU) to standardize data regulations across its 28 member countries. The law will grant individuals more authority over the use of their personal data.
The EU sees the GDPR as a necessary step in updating outdated laws in an increasingly digital world. In 1995, when European data privacy laws were last updated via the Data Protection Directive, only 1% of Europe’s population was using the internet. Today, not only are we a digitally reliant world, but many companies are operating globally and processing data across borders. The EU Parliament established the GDPR guidelines to unify disparate laws and give more autonomy to millions of individuals to protect their personal data.
But if you think that being across the pond spares your company from GDPR compliance, think again.
A major tenet of the GDPR, which goes into effect May 25, 2018, requires that any company that stores, processes, or touches data coming from the EU comply with the regulation. Companies sitting outside of the borders of the EU will need to comply with the GDPR if they process data collected in the EU.
And if they don’t comply? Companies should prepare for steep sanctions and higher scrutiny from the data protection supervisory authorities across the EU.
The GDPR drastically increases penalties for compliance infractions. Previously, noncompliance fines were managed on a country-by-country basis, assessed by the country in which the infraction occurred. The GDPR harmonizes these fines. Penalties can be up to €20 million or 4% of the company’s worldwide revenue, whichever is higher. EU authorities also will define a scale for these sanctions based on the severity of the offense.
Education around the GDPR is key because, despite the regulation’s influence and eminence, many companies are falling behind in preparation. A study by information technology company Spiceworks found that, as of late June 2017, many companies are well behind the curve. Only 9% of IT professionals in the United States are informed about the business impact of the GDPR, according to the research. This number is 43% and 36% for the U.K. and EU, respectively. Better, but still not great. Further, Gartner predicts that more than 50% of companies affected by the GDPR will not be in compliance by the time of implementation.
Don’t let your company be one of them. Here is what else you need to know about the GDPR and steps HR and other professionals can take to prepare for the May 2018 deadline.
Define Your Gaps, Now
The GDPR consists of 99 articles, but not all of them will be entirely new. In fact, many companies might already be closer to compliance than they think. At this point, if they haven’t already, it’s vital that companies read and understand the GDPR, determine where they have gaps compared to their existing procedures, and then define actions to ameliorate them.
This may be a challenge for many multinational companies (MNCs). For instance, it’s conceivable that a multinational company with employees in 20 to 30 countries could be managing between 50 and 60 HR and payroll systems, as different countries are often given autonomy over technology decisions.
On top of that, the company may be managing the integration of files from other applications offered in their human capital management (HCM) suite, such as talent, time, benefits, retirement, and pension. With this in mind, it’s not too difficult to imagine the 100-plus integration files that a typical multinational company manages on a monthly basis.
Add to this “the cloud.” More and more, MNCs have moved much of their integrated HCM into fully integrated, customized, multi-vendor cloud suites. The key words here are “customized” and “multi-vendor.” A new need has arisen for a solution that is designed with data privacy and security standards built in, while enabling MNCs to integrate all data flows and information from disparate systems. Ideally, it would provide transparency into the data collection and management process for compliance purposes, reduce manual intervention, and increase efficiency to deliver consolidated data and reporting in standardized formats—all in a single language irrespective of the system in which the data originated.
Keep on Top of Localized Data Regulations
It’s important to note that the GDPR is only a baseline—the minimum requirements by countries processing data in the EU. Countries can (and already have begun to) pass laws providing for a few exceptions to the GDPR.
With the GDPR, it is possible that roughly 90% of the data privacy provisions will be harmonized across the EU. However, some of the EU member states will implement country-specific requirements or develop country-specific guidance through their local supervisory authority, either to clarify a provision of the GDPR or to impose stricter regulations where permitted by the GDPR. Global companies will need to stay abreast of these developments and take inventory of where their partners operate (by country) to ensure they remain in compliance with local rules.
Understand the Role of Greater Personal Accountability
Currently, companies that process data rely on the regulatory bodies of their country to check that they are meeting standards. Under the GDPR, companies will have to conduct self-assessments. No one will proactively tell a company, “Yes, you can move forward with this processing; it’s compliant.” Instead, companies now have the responsibility to ensure they are in compliance and to ensure their vendors, suppliers, and other partners are complying with the law. Additionally, if an issue arises, companies will need to prove they’ve done a data protection-impact assessment, showing they have addressed the issue. This is why documentation after implementation, along with data transparency and data flow process auditing, will be key.
Establish, Test Your Documentation Process
With the GDPR, companies will need to document the actual performance of the compliance process, in addition to the initial implementation of the process. This is where the accountability principle comes into play. Companies will need to assess not just for May 2018, but also on an ongoing basis to ensure continuing compliance. They should test what they’ve implemented in order to make sure that it's sustainable. This is key in the case of service providers in order to give clients greater peace of mind that the company will continue to try to help them comply with the GDPR.
Keep Tabs on Your Data Processing Partners
Companies will also need to make sure their vendors and partners are in compliance with the GDPR. This can otherwise cause a domino effect. If your partners are not complying with the GDPR, that noncompliance could potentially affect your business.
Being in compliance with the GDPR may be a challenge to many MNCs, but it ultimately may enable them to address crucial workforce data issues, as well as increase their attractiveness to potential business partners. As the world moves toward greater data accountability and transparency, those who take data protection seriously may also find that current and prospective clients take notice and choose a more compliant company with which to do business.
Read about the GDPR virtual class that this subject matter expert taught as part of GPMI’s education section in this issue.
Cécile Georges is the Chief Privacy Officer (CPO) of ADP. She leads the Global Data Privacy and Governance Team, which is part of the Global Compliance organization. The Team provides advice and operational guidance to all ADP business units, and is responsible for the design and implementation of ADP’s enterprise-wide compliance programs in relation to the protection of personal information. During her time with ADP, Georges has consistently focused on developing performance-driven teams that deliver excellent service to the businesses and to ADP clients.