Impacts of new GDPR for your People Systems and HR Data
What is the new ‘General Data Protection Regulations’ (GDPR)You may have heard about the General Data Protection Regulation (GDPR) that is in the process of going into effect in Europe. If not, you need to take note! The GDPR is a new initiative to protect the data of consumers and employees from misuse. The key objectives of GDPR are to give everyday citizens control of their personal data and streamline the current regulations surrounding the legal use of this data. This new regulation, passed in April of 2016, essentially replaces the Data Protection Directive (Directive 95/46/EC) that went into effect in 1995, long before any of the present-day concerns about international data theft was a serious thought. With the GDPR coming into effect in May of 2018, organizations have less than a year to evaluate their data gathering, storage, use, portability, and sharing protocols.
Why are these changes being made?If there were data protection directives already in place, why is the GDPR needed now? Well, times have changed and the way that businesses manage their data must also change. The three (3) key changes as set forth by the GDPR are:
- Increased scope of territories - to include all organizations that process employee data within the European Union, regardless of where the company is actually located. This means international firms must also comply if they gather, process, share, or use EU data at any time.
- Stiff fines and penalties - organizations found to violate any aspect of the GDPR face up to 4% annual revenue or 20 million Euro, whichever is greater. Failure to document can incur a 2% fine.
- Absolute consent - all companies must carefully document and show written consent from employees to access and use their data.
Timelines for compliance - could vary on exact calculation of timeAs mentioned, GDPR was passed in April of 2016, but companies have a two-year timeline within which to make the transition. By May 25 of 2018, all impacted organizations must be compliant with GDPR, or they can expect to incur heavy fines. The Information Commissioner’s Office has created a 12-step guide for preparing for GDPR, which we encourage your organization to download and read now. To summarize, here are some basic guidelines and actions you can take now:
- Make sure all organizational decision makers are on board
- Create a committee to oversee the management of GDPR initiatives
- Conduct a data privacy protection audit to determine how vulnerable systems are
- Understand what information is gathered, from whom, and for what purpose
- Evaluate what your vendors are doing to comply with GDPR
- Update employee manuals and privacy statements
- Decide what needs to be in place to secure permission to use data
- Secure EU secure servers for all data now, and require this from vendors
What it means for your businessDepending on the above factors, your organization could be at risk of non-compliance with the GDPR -- worse yet, employee data may be vulnerable. This is especially true if your company does business with any governmental agencies, which require even higher standards of data use and protection. Consider the areas that may be most at risk for your company, including:
- Mobile data sharing by company officers, employees, and vendors
- Personal information and who actually owns this data
- Transmittal of data using email, cloud-storage, and physical devices
- Cloud-based servers not on EU soil (for any company)
Guidelines for compliance with GDPRFortunately, at Thymometrics, we treat any and all data as 100% critical to your organization and therefore, we are already GDPR compliant. In fact, we systematically make it our mission to ensure that all employee data is handled with the utmost care and security. With a long history of working with international organizations, we have a keen understanding of data security requirements and built our entire platform with this in mind, from the ground up. We wanted to share what we believe will be important for your organization to do now, so that in 12 months time, when GDPR is officially the law of the land, you will be in full compliance.
Ways to ensure complianceBefore we go any further, it’s important to understand what constitutes 'personal data'. This can vary widely by organization, but the general definition is any information that is personal to employees and can be used to identify an individual. Personal data, when combined, can become dangerous in the wrong hands. Examples of personal data include:
- Any part of a person’s name
- A home or business address
- Birthdates, anniversaries, and hire dates
- Names of family members
- Job titles, salary rates or educational information
What the organization needs to do nowA year seems like a very long time to start worrying about a new law, but it is worth lending some resource to this early. There will undoubtedly be issues that you’ll need time to resolve, so better to have time to prepare before the May 2018 deadline. Now is the time to start to avoid being caught with data breaches and large fines. Jerry Pett, CEO and co-founder of Thymometrics has some sound advice for companies to get ready for GDPR.
#1 - Learn where your critical employee data systems are held (for example, your HRIS or employee engagement survey vendor) and for what purpose data is being used.
#2 - Determine who owns the data based on contractual information. In some cases, employees are the sole owners of the data, while the company is authorized to use this data for business purposes only.
#3 - Set up a system gaining explicit opt-in for employees. Every employer gathering, storing, and sharing employee data must have a clear method of communicating and obtaining this permission.
#4 - Find out what your cloud-based software vendors are doing with personal information and if they are taking steps to become compliant. Your employee data could be spread out across multiple locations such as cloud storage services, HRIS, help and support systems, messaging systems, and more.
#5 - Employers with 250 or more employees must assign an internal data protection officer to oversee all GDPR requirements.The best course of action is to be proactive about what is happening with your employee data and never assume that your company is compliant. It’s too costly to make a mistake with the security of your employee personal information.
Where to get support with your engagement dataLong before the GDPR was instituted, Thymometrics agreed that we would be proactive about keeping all our customers and employee data secure in world-class data centers. As we are gathering potentially sensitive information on the happiness and engagement levels of employees, this is a top priority. We are ready and prepared for these new regulations. How?
- Our General terms and conditions put relationships with our clients and employees first. We always get full permission to share and use data, with only valid business reasons in place.
- We take the use and security of data very seriously. That means zero commercialization of data and only focusing on how it’s protected
If you'd like to find out more about how the new General Data Protection Regulations might affect your business, speak to Thymometrics: email firstname.lastname@example.org, call +1 646 760 9323 (US) or +44 (0) 1223 750 251 (Europe) or visit thymometrics.com. Image courtesy of jk1991 at FreeDigitalPhotos.net