Information on the General Data Protection Regulation (GDPR) is in such high demand that global payroll professionals are having to work overtime to make sure everyone knows about all the major changes about to take place.
During a recent two-part virtual class “GDPR: A New Regulatory Landscape in Europe,” Cécile Georges, Chief Privacy Officer of Global Compliance for ADP, and Julia Matarazzo, Director of Privacy Execution Assurance for ADP, sat down after the class was complete to answer many of the questions that went unanswered because of time.
The new European Union (EU) regulations will go into effect on May 25.
Below is a list of eight additional questions participants asked and the answers Georges and Matarazzo gave post-class:
When should an organization notify authorities of a data breach? Are there any requirements that speak to the size or type of breach?
Please refer to Article 33 for more information regarding the notification of Supervisory Authorities in the event of a breach. Note that there is no threshold in terms of volume of breaches that would trigger the need for being reported to the Supervisory Authority. One personal data breach that would fall in the scope of a reportable data breach scope should be reported.
Are standard/model clauses something that need to be written into international contracts once the GDPR comes into effect? Should this regulatory compliance be implicit in the existing contract clauses (i.e., parts of the contract that stipulate compliance to local laws)?
Standard model clauses are required only in case of transfer of data to a country located outside of the EU and that does not provide an adequate level of protection. Standard Model clauses are referenced by the GDPR as an appropriate mechanism to sustain such transfer amongst others. To our knowledge, the provision of model clauses should be explicit.
What is the difference between a Data Controller and a Data Processor?
Per Article 4 of the GDPR, a controller means "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law." In contrast, Article 4 of the GDPR defines processors as "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
Do controllers have to communicate to data subjects the length of data retention?
Yes. Under Article 13(2), the controller is required to notify the data subject of the period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period.
How can an organization be sure their vendors are compliant with GDPR? Are there any third-party certifications available?
At present, there are no third-party certifications available to prove compliance with the GDPR itself. However, some of the existing certifications do encompass privacy assessment and can be leveraged.
Will the U.K. be subject to GPDR bearing in mind Brexit?
The U.K. government confirmed its intention to implement the GDPR, following this up with its own Data Protection Bill, which it introduced in Parliament in September. The main objective of this bill is to convert GDPR into U.K. domestic law so that the regulation’s principles continue to apply once the U.K. leaves the EU. Until the exit negotiations are concluded, the U.K. remains a full member of the EU and GDPR will fully apply to the U.K. starting from 25 May 2018. Once the U.K. leaves the EU, the Data Protection Bill will be the only basis for data protection in the U.K., but the country will continue to apply GDPR standards as transposed in national law.
How likely is the GDPR legislation to change ahead of the May deadline?
It is highly unlikely that any changes to the GDPR will be implemented before the 25 May 2018 date of enactment. That being said, the GDPR allows for Member States to provide for exceptions in certain limited areas, and thus additional legislation may affect data processing in specific EU countries in the future.
How long does a typical GDPR implementation take?
The time it takes to implement a GDPR-specific compliance initiative really depends on the size of the organization and the business sector they are in, and the overall maturity of any existing privacy programs. Each organization should perform an assessment of existing practices and create a roadmap to help determine the length and complexity of the project.
Kiko Martinez is Associate Editor of Membership Publications for the American Payroll Association and GPMI.