GDPR and Global Employee Surveys: Everything You Need to Know About the New Law

While the new European Union's ("EU") General Data Protection Regulation (GDPR) that goes into effect on May 25, 2018, may have been years in the making, many companies are only just now scrambling to understand what it means, and how to comply.

At OrgVitality, we've followed these developments closely. Maintaining employee privacy and confidentiality is a critical element of our work. This new regulation affects many of our clients, many of whom have employees located throughout the world. Here are some key components of the new law:

The GDPR greatly expands the scope of existing regulations.

The GDPR replaces outdated privacy legislation from 1995. The biggest change is an expanded jurisdiction; it applies to all companies processing personal data of EU citizens, regardless of where the processing takes place. It may be necessary for businesses operating outside of the EU to appoint a representative in the EU. Under GDPR, there are also stronger conditions for consent to collect data: conditions must be clear and distinguishable from other issues so people aren't simply clicking a button without full understanding, and it must be easy for them to withdraw consent. Data breaches must be disclosed "without undue delay" after an organization learns of it. Individuals have clear rights, including the rights to know if their data is being stored, how their data is used, free access to their data, and the ability to have their data erased.

Regardless of whether you're doing the data collection, or hiring a third-party, you need to be compliant:

The GDPR separates organizations into two categories: controllers and processors. Controllers are those who store information, such as credit card companies. Processors use data for a specific process but don't store it afterwards. Some organizations, like OrgVitality, are both; we often store information to use for trend mapping until our client requests that the information is deleted. When you work with a vendor who is collecting personal data of your employees, you need to make sure that vendor in compliant with the new regulations, or your organization may be liable. The penalties for non-compliance are steep.

If you're Privacy Shield certified, you likely still need to make changes:

Privacy Shield offered US companies a way to deal with the EU's more stringent privacy laws; US companies could agree to adhere to a list of principles to show they were in compliance with the stricter regulations. GDPR's expanded regulations will make even those with Privacy Shield certifications take additional steps, including amending an organization's privacy policy to include statements regarding how long data is held, a data subject's right to have their data erased, the reason for the data processing, and both if and how the data would be transferred out of the EU. Additionally, contracts with vendors like OrgVitality will now need to include how data is processed, how long it will take, what type of data is processed, and more.

Other countries are likely to follow suit, creating a logistical challenge for global organizations.

While the GDPR applies uniformly across all EU member states - and the UK, which will leave the EU next March but plans to adhere to the GDPR - other countries are likely to follow suit with their own data privacy laws that may make global processing more difficult. "It is currently unclear exactly how this will evolve, but the worst case scenario is that we may be looking at a situation where you have to process organizational data locally and then compare country overall numbers," says Dr. Scott Brooks, Partner and Vice President at OrgVitality. "If we are unable to merge all the employee data, we would look at a client's individual country population result and then assign the necessary weights to achieve an accurate global total."

Ultimately, the GDPR will greatly change the nature of global businesses. At OrgVitality, we closely monitor new regulations, making sure we remain compliant and helping our clients do the same.

If you have any questions about how OrgVitality is complying with the new regulations, please email Scott Brooks. Want to learn more about GDPR? Email Oren Saltzman.