The deadline to comply with the EU’s General Data Protection Regulation is looming. All companies that process the data of EU citizens must adhere to the rules by May 25, 2018 or risk fines of up to 4 percent of annual global turnover or 20 million euros, whichever is greater. Understandably, many of our clients and prospects that are based in the US and have operations in the EU are scrambling to put policies and procedures in place to help them comply in time for the go-live date.
GDPR stakeholders in most organizations include risk managers, CIOs and CFOs, but HR professionals — who are sometimes overlooked in data-protection discussions — play an equally critical role. After all, they collect and maintain sensitive data from employees and employee recruits. The bottom line is that GDPR has serious ramifications for HR executives and administrators alike.
This post provides a high-level summary of some important items HR professionals need to consider when preparing their organizations to comply with the GDPR.
Regardless of your position within an organization or where that organization is located, if you handle the personal or sensitive data of people living in the EU, you need to have a basic understanding of the GDPR. The European Commission’s GDPR Portal is a good place to start, as is my colleague Stuart Buglass’ overview of the reforms. Here’s a look at some of the key changes the GDPR will bring:
- Employee consent. Under the GDPR, employers will no longer be able to rely on employee consent to process data, due to the imbalance of power between the two parties. Instead, employers must justify processing because it is required by law, necessary for the performance of a contract or for certain other reasons. (Stuart Buglass’ article is excellent on this point.)
- Data access and control. Employees and other data subjects will have the right to know if their personal data is being processed and why, and to obtain a free electronic copy of their data. If the data is no longer relevant, or for other reasons, they may request that an organization delete personal data (i.e., they may invoke the “right to be forgotten”) or take other action.
- Privacy by design. Organizations must include data protection “from the onset” when designing their policies, procedures and systems, and only process and hold data when necessary. The GDPR also has record-keeping requirements and in some cases requirements for organizations to appoint a data protection officer.
Fair Processing Notices and Employment Contracts
Under the existing EU directive on processing personal data, many employers of EU citizens have obtained employee consent to process data through privacy statements that are distinct from the employment contract. As mentioned, obtaining this kind of consent under the GDPR will no longer justify the processing of personal data. As a result, the GDPR will drastically change the way employers must communicate with their employees about data processing.
The GDPR requires that employers (and indeed any data controllers) that process data under the regulation’s legitimate-interest condition must provide a detailed explanation of the legitimate interest in a fair processing notice (“FPN,” or a similar a document that may be referred to as a privacy notice). FPN’s must also include other information per the GDPR, such as the kinds of data to be processed and how it will be used and/or transferred.
Given GDPR requirements, fair processing notices will — like the privacy statements they’ll replace — be separate from employment contracts due to their length and other factors. FPNs will also replace any existing employee-contract language related to employee consent to data processing. (Existing employee contracts written prior to the GDPR will not have to be rewritten, as FPNs will supersede any employee-consent language in the contracts.)
Employers should consider drafting a separate FPN for the purposes of employee recruiting, which of course involves the processing of personal data. Since the amount of data involved in employee recruiting is relatively limited, the FPN used for recruiting will almost certainly be shorter than the FPN used for employees.
Finally, employers should update their employment contracts for new hires so that they align with GDPR-compliant processes.
Data Protection Policies and Training
As mentioned, the GDPR requires organizations to tightly integrate data protection into their systems, policies and practices (known as “privacy by design”). As a result, organizations that process the data of EU citizens must update their policies, employee handbooks and trainings to account for new GDPR-related requirements. Communications should account for domestic and expatriate employees, as well as any contractors that may process data, to ensure they understand their roles and responsibilities as they relate to the GDPR.
A Checklist of GDPR Items for HR Managers and Administrators
This post has addressed some of the most pressing GDPR-related concerns that HR managers and administrators should address in advance of the May 25, 2018 deadline. Below is a checklist of action items that HR professionals should consider when preparing their organization for the GDPR. The list is of course not comprehensive, and you should consult with an expert to minimize your data-processing risks as we move into this new regulatory environment.
- Draft an employee fair processing notice, or FPN (also called a privacy notice)
- Draft an FPN specifically for recruiting employees
- Update employment-contract language to account for FPNs and other GDPR requirements
- Update employee policies (including your employee data access policy) to account for GDPR requirements
- Update employee handbook, including drafting a GDPR amendment
- Revise employee training materials to include GDPR-compliance training
- Draft and send GDPR communications to all employees (including expatriates) and contract workers
- Ensure your processes for retaining employee data is GDPR-compliant and update processes if necessary
- Revise contracts with any HR data sub-processors to ensure GDPR-compliant controls are in place
Join hundreds of global business leaders who receive weekly international expansion updates and need-to-know global information.