Editor’s note: The General Data Protection Regulation (GDPR) is a regulation enacted in May 2018 that guides the use of data and the rights of citizens across the European Union (EU). Any organization working with the personal data of individuals in the EU is liable to maintain compliance. Because the GDPR applies to data being maintained on your employees, global payroll and human resources departments will assume a leading role. Compliance is critical with the prospect of fines that can be revenue-based.
The following Q&A with Donald C. Dowling Jr., a shareholder with Littler law firm, is provided to assist leaders in global payroll who may be called upon to explain the significance and consequence of GDPR and noncompliance to other departments within their organizations. This is an update to his first interview, published in July 2018. Part II of this update will continue in the June 2019 issue of Global Payroll.
What is the difference between a processor and a controller?
The distinction between “controller” and “processor” is a fundamental concept under EU data law (and remains the same under GDPR as it was under the predecessor EU data “directive”).
A controller manipulates (“processes”) personal data about people (“data subjects”) ―and has the right to make decisions about what to do with that data.
A processor also processes personal data about people but does the processing under the instructions of a controller. The processor does not have authority to make substantive decisions about what to do with the data. The processor just follows the controller’s orders.
A good example is an employer’s payroll data: The employer is a controller of payroll data because it sets the pay rates, pay periods, and the like. If the employer uses an outside payroll provider company to cut paychecks and do withholdings, the payroll company is a data processor: It makes paycheck deductions and issues paychecks, but does that at the instruction of the employer.
In any data stream there can be multiple controllers and multiple processors. GDPR article 26 addresses “Joint Controllers.”
For example: Employee Hans works for the German subsidiary of a French-headquartered company, and Hans has options in the company stock option plan. The French parent and the German subsidiary would both be controllers of Hans’ employee compensation data―the German subsidiary presumably sets Hans’ pay rate, and the French parent presumably sets the rules for the stock option plan. An outside payroll provider and an outside stock option plan administrator would both be processors of Hans’ stock option data.
How do organizations determine if GDPR applies to their business?
This is complex in some situations, but simple in many others. If you operate in the EU and process data of EU residents, then that processing falls under the GDPR. If you do not operate in the EU and you do not process data of EU residents, the GDPR very likely does not reach you.
The complex situations come up when a company does not operate in the EU but processes personal data about EU residents, or when non-EU residents’ data gets sent into the EU or put on an EU server. Also, EU-based organizations can be argued to fall under the GDPR even as to personal data about non-EU residents―but actually the GDPR carves out an exception for when the processing activity does not fall under EU law.
GDPR applies to more situations than the predecessor data law (the old EU Data Protection Directive) once did. To use American jurisdictional terminology, the GDPR has more of a “long arm” feature than the old directive did. A recent U.K. case involving Cambridge Analytica is a recent “long arm jurisdiction” case pushing out the boundary of the GDPR’s reach, at least under pre-Brexit U.K. law (unless the case gets overturned on appeal).
What are the eight fundamental rights of individuals under GDPR?
This is a tough question, because the GDPR is a detailed law with 99 articles that give individual data subjects hundreds of rights―many of which Europeans see as fundamental.
When people talk of the “eight fundamental rights,” their listing is:
- Right to information
- Right to access
- Right to rectification
- Right to withdraw consent
- Right to object
- Right to object to automated processing
- Right to be forgotten
- Right for data portability
But that list is subject to debate. For example, No. 7, the so-called “right to be forgotten,” alludes to GDPR article 17. But the text of GDPR article 17 got substantially watered down in the political process, and European privacy advocates argue the article 17 “right to be forgotten” doesn’t go far enough. Some might argue this so-called “right” is illusory and does not really exist.
We discuss the would-be “right to be forgotten” below. It’s not clear to me that it is much of a right, given that obsolete personal data is not supposed to be lying around in company databases in any instance. In most cases, even the GDPR does not give people an enforceable right to be forgotten―as long as some company somewhere has a legitimate business reason to remember something about you.
What specific business rules should organizations put in place to ensure compliance?
There’s so much to do to comply with the GDPR that this question opens Pandora’s Box.
The threshold issue for an American-headquartered (or other non-EU-headquartered) company is to determine which personal data the company processes is subject to the GDPR―and which personal data isn’t subject to the GDPR.
Obviously, all of the compliance steps necessary to comply with the GDPR are necessary only as to the GDPR-regulated data. This sounds obvious, but we see many companies that sweep non-GDPR-regulated data into their GDPR compliance frameworks. That’s legal, but can be unduly restrictive for the company.
How often should organizations carry out internal GDPR training for employees?
Those workers in a company who process GDPR-regulated data as part of their jobs need to know how to process the data legally. Employees who don’t process GDPR data don’t need any GDPR training (although employees whose own data is GDPR-regulated have to be informed of a lot of matters regarding their own data).
The frequency of the GDPR training depends on variables that include the employee’s role, expertise, level of supervision, and data-processing responsibilities.
Essentially, an employer does not have to train any given rank-and-file employee on the GDPR as an abstract legal concept. Often, a good approach is to train a given employee on how to perform his or her specific data-processing tasks in a way that complies with the GDPR.
That said, an employee with a lot of discretion on data issues in Europe (say, a Data Privacy Officer or head of HR) needs to keep GDPR expertise up to date.
What items should be reviewed in a GDPR risk assessment review?
Start with identifying (isolating) what personal data is subject to the GDPR, and understanding what personal data is not GDPR-regulated. That is “job No. 1” at a multinational company (at a local European company, all personal data may be GDPR-regulated).
From there, everything depends on context. HR (employee) data elements are largely similar from company to company―payroll data, personnel file data, employee monitoring data, and emails, etc. In a risk assessment, review those.
But beyond employee data, the types of personal data a company processes (and should review in a risk assessment) differ widely. HR data aside, the items to review for a GDPR risk assessment at a fast food restaurant are very different from the items to review for a GDPR risk assessment at a hedge fund. A manufacturing company might not process much personal data beyond HR data, but a retail bank certainly will.
Do you like our content? Join the GPMI community to get free education and articles straight to your inbox!
Donald C. Dowling Jr., a shareholder with Littler law firm, has extensive experience advising U.S.-based companies on outbound international labor and employment laws. He provides counsel on a wide variety of global employment law matters, including codes of conduct and HR policies that guide operations in multiple jurisdictions, international compensation and benefits issues, whistleblower hotlines, cross-border internal investigations, and HR compliance audits. Dowling regularly advises clients on employment matters that arise with international restructurings, reductions in force, mergers, acquisitions, and outsourcing. Additionally, he helps clients properly engage independent contractors overseas, manage expatriate programs, and develop employment agreements and employee handbooks.