What is the GDPR?
In January 2012, the European Commission created a proposal to reform data protection rules across the European Union (EU). Passed on May 25, 2018, the General Data Protection Regulation (GDPR) is a major component of this reform. The rules within the GDPR are designed to give EU residents more control over how businesses utilize their personal data.
Which businesses are covered by the GDPR?
The GDPR applies to companies that do business in any of the EU’s 28 member states as well as those that handle the personal data of EU residents — regardless of whether the company has a physical presence in Europe. It also covers non-EU-based companies that offer goods and services to consumers or businesses in the EU.
Bottom line: Any company that processes and holds the personal data of people living in the EU must comply with the GDPR.
What type of information is considered personal data?
Under GDPR rules, personal data refers to information that can be directly or indirectly used to identify an individual. This includes name, location data, IP address and genetic and biometric data.
How does the GDPR affect human resources?
Businesses with employees who are based in the EU and third-party vendors that process personal information on employees must comply with the GDPR. Although this information often is processed in the context of human resources, benefits, and payroll, it also may be processed in other contexts, such as customer relationship management, training and certification and business-related travel.
For personal data processed outside of the EU, the GDPR applies as long as the data pertains to an EU resident. For example, the GDPR does not apply if the employee is an EU citizen who lives and works in the United States and is paid by a US-based employer.
Among other things, the GDPR requires covered employers to give privacy notices to their workforce. The privacy notice must include the following:
- Employer name and contact information
- The types of personal data collected
- Reasons for processing the data
- The legal basis for the data processing
- With whom the information is being shared
- How long the data will be retained
- Employee rights with regards to their personal data
What are the consequences of noncompliance?
Businesses that fail to comply with the GDPR may face onsite investigation by data protection authorities. For the most serious violations, a company can be fined up to 20 million euros or 4% of the company’s annual global turnover, whichever is more. For other types of infringements, fines can be up to 10 million euros or 2% of the company’s annual global turnover, whichever is more.
Note that the GDPR is a replacement to the 1995 EU Data Protection Directive. The GDPR is much wider in scope and imposes new requirements on employers. If you’re not sure whether the GDRP applies to your business, or if you need assistance deciphering this far-reaching regulation, seek advice from an employment expert. Contact us today.