While the new European Union's ("EU") General Data Protection Regulation (GDPR) that goes into effect on May 25, 2018, may have been years in the making, many companies are only just now scrambling to understand what it means, and how to comply.
At OrgVitality, we've followed these developments closely. Maintaining employee privacy and confidentiality is a critical element of our work. This new regulation affects many of our clients, many of whom have employees located throughout the world. Here are some key components of the new law:
The GDPR greatly expands the scope of existing regulations.
The GDPR replaces outdated privacy legislation from 1995. The biggest change is an expanded jurisdiction; it applies to all companies processing personal data of EU citizens, regardless of where the processing takes place. It may be necessary for businesses operating outside of the EU to appoint a representative in the EU. Under GDPR, there are also stronger conditions for consent to collect data: conditions must be clear and distinguishable from other issues so people aren't simply clicking a button without full understanding, and it must be easy for them to withdraw consent. Data breaches must be disclosed "without undue delay" after an organization learns of it. Individuals have clear rights, including the rights to know if their data is being stored, how their data is used, free access to their data, and the ability to have their data erased.
Regardless of whether you're doing the data collection, or hiring a third-party, you need to be compliant:
The GDPR separates organizations into two categories: controllers and processors. Controllers are those who store information, such as credit card companies. Processors use data for a specific process but don't store it afterwards. Some organizations, like OrgVitality, are both; we often store information to use for trend mapping until our client requests that the information is deleted. When you work with a vendor who is collecting personal data of your employees, you need to make sure that vendor in compliant with the new regulations, or your organization may be liable. The penalties for non-compliance are steep.
If you're Privacy Shield certified, you likely still need to make changes:
Other countries are likely to follow suit, creating a logistical challenge for global organizations.
While the GDPR applies uniformly across all EU member states - and the UK, which will leave the EU next March but plans to adhere to the GDPR - other countries are likely to follow suit with their own data privacy laws that may make global processing more difficult. "It is currently unclear exactly how this will evolve, but the worst case scenario is that we may be looking at a situation where you have to process organizational data locally and then compare country overall numbers," says Dr. Scott Brooks, Partner and Vice President at OrgVitality. "If we are unable to merge all the employee data, we would look at a client's individual country population result and then assign the necessary weights to achieve an accurate global total."
Ultimately, the GDPR will greatly change the nature of global businesses. At OrgVitality, we closely monitor new regulations, making sure we remain compliant and helping our clients do the same.