The European Union’s General Data Protection Regulations (GDPR) went into effect in May 2018, and 10 months later, it’s a good time to revisit these sweeping changes.
You may remember the buildup, and how most of the fanfare focused on the customer and vendor implications. But the legislation doesn’t just affect consumer-oriented data—it has an impact on employee data as well. Even if your organization doesn’t have an EU location, if you have employees in the EU—and they don’t even have to be EU citizens—you may face fines for noncompliance in the event of an audit by a supervisory authority.
So as we near a year into GDPR, it’s not about getting compliant; it’s about staying compliant. Here are four insights to keep in mind as you navigate data administration at your organization.
1. Ensure “privacy by design” is a foundational consideration.
Successful organizations aren’t stagnant, so every new project or initiative you take on will likely have repercussions on your privacy policies and compliance—especially if user data or data involving people is involved. With each new initiative, it’s important to perform privacy impact assessments. And as your company’s overall strategy evolves, so must your privacy strategy. This means reviewing your privacy policies at least annually, and updating them as appropriate, such as when your company makes substantial changes to how it handles personal data.
Whether you’re conducting a regular privacy impact assessment or an annual policy review, your organization should be:
- Assessing how personal data is collected, used and shared
- Making sure that there are measures that allow data subjects to exercise their rights under GDPR, such as procedures for accessing personal data, correcting inaccurate personal data, and respecting valid “opt out” requests
- Demonstrating a risk-based approach to protection, which includes revising the amount and types of personal data collected, and deleting, encrypting or redacting data based on its sensitivity
- Reviewing how your privacy approach aligns with any industry changes or case law that may arise
2. Maintain records of your processing activities.
Your organization should keep a record of all activities carried out involving the use of personal data. When there are new projects that involve personal data, there should also be an update to any registers or systems that record your personal data processing activities. Whether maintenance is done on an ongoing basis or scheduled quarterly, up-to-date records of your processing activities are necessary in the event of an audit by a supervisory authority.
3. Stay on top of your breach reporting process.
Your organization’s role in handling data—either as a data processor or data controller—affects how and when any breaches are to be reported:
- As a data processor, you’re required to notify the data controller as soon as possible after becoming aware of a breach involving personal data
- As a data controller, if a breach would result in a “risk to the rights and freedoms” of individuals, you must notify the relevant supervisory authority within 72 hours
The key is having clearly defined internal processes in place to ensure that breaches are reported thoroughly and on time. Test your processes, then test them again.
4. Make training—and retraining—your people a priority.
Even if your organization has robust data protection procedures in place, if your people aren’t prepared to adhere to them, you could be at risk. Systems and IT-based controls may provide some mitigation, but an employee misplacing a device or not properly destroying sensitive paper records could likely trigger a data breach.
Training is key, and it should include lessons on data security in general and the GDPR in particular. And because threats are always changing, a regular information security training schedule is advised—at least twice a year if possible. Everyone in the organization should be included in training, because keeping your data secure is everyone’s responsibility.
Heed the momentum for GDPR-like rules in the U.S.
You may think you’re in the clear if your U.S.-based organization’s data doesn’t fall within the scope of GDPR. And that may well be the case—for now.
But there has been growing support from U.S. tech giants for federal laws governing how companies protect user data. Cisco is the latest, joining Apple and others, with the company’s top lawyer recently calling current the U.S. data protection framework “not adequate.” As more influential companies begin to push for change, federal regulators and lawmakers may be more inclined to take note.
Do you have questions regarding the impact of GDPR on your payroll and HR processes? Contact us today to learn more about steps your organization can take for ensuring compliance.