The European Union’s General Data Protection Regulations (GDPR) went into
effect in May 2018, and 10 months later, it’s a good time to revisit these
sweeping changes.
You may remember the buildup, and how most of the fanfare focused on the
customer and vendor implications. But the legislation doesn’t just affect
consumer-oriented data—it has an impact on employee data as well. Even if your
organization doesn’t have an EU location, if you have employees in the EU—and
they don’t even have to be EU citizens—you may face fines for noncompliance in
the event of an audit by a supervisory authority.
So as we near a year into GDPR, it’s not about getting compliant; it’s about
_ staying _ compliant. Here are four insights to keep in mind as you navigate
data administration at your organization.
1. Ensure “privacy by design” is a foundational consideration.
Successful organizations aren’t stagnant, so every new project or initiative
you take on will likely have repercussions on your privacy policies and
compliance—especially if user data or data involving people is involved. With
each new initiative, it’s important to perform privacy impact assessments. And
as your company’s overall strategy evolves, so must your privacy strategy.
This means reviewing your privacy policies at least annually, and updating
them as appropriate, such as when your company makes substantial changes to
how it handles personal data.
Whether you’re conducting a regular privacy impact assessment or an annual
policy review, your organization should be:
- Assessing how personal data is collected, used and shared
- Making sure that there are measures that allow data subjects to exercise their rights under GDPR, such as procedures for accessing personal data, correcting inaccurate personal data, and respecting valid “opt out” requests
- Demonstrating a risk-based approach to protection, which includes revising the amount and types of personal data collected, and deleting, encrypting or redacting data based on its sensitivity
- Reviewing how your privacy approach aligns with any industry changes or case law that may arise
2. Maintain records of your processing activities.
Your organization should keep a record of all activities carried out involving
the use of personal data. When there are new projects that involve personal
data, there should also be an update to any registers or systems that record
your personal data processing activities. Whether maintenance is done on an
ongoing basis or scheduled quarterly, up-to-date records of your processing
activities are necessary in the event of an audit by a supervisory authority.
3. Stay on top of your breach reporting process.
Your organization’s role in handling data—either as a data processor or data
controller—affects how and when any breaches are to be reported:
- As a data processor, you’re required to notify the data controller as soon as possible after becoming aware of a breach involving personal data
- As a data controller, if a breach would result in a “risk to the rights and freedoms” of individuals, you must notify the relevant supervisory authority within 72 hours
The key is having clearly defined internal processes in place to ensure that
breaches are reported thoroughly and on time. Test your processes, then test
them again.
4. Make training—and retraining—your people a priority.
Even if your organization has robust data protection procedures in place, if
your people aren’t prepared to adhere to them, you could be at risk. Systems
and IT-based controls may provide some mitigation, but an employee misplacing
a device or not properly destroying sensitive paper records could likely
trigger a data breach.
Training is key, and it should include lessons on data security in general and
the GDPR in particular. And because threats are always changing, a regular
information security training schedule is advised—at least twice a year if
possible. Everyone in the organization should be included in training, because
keeping your data secure is everyone’s responsibility.
Heed the momentum for GDPR-like rules in the U.S.
You may think you’re in the clear if your U.S.-based organization’s data
doesn’t fall within the scope of GDPR. And that may well be the case—for now.
But there has been growing support from U.S. tech giants for federal laws
governing how companies protect user data. Cisco is the latest, joining
Apple
and others, with the company’s top lawyer recently calling current the U.S.
data protection framework “not adequate.”
As more influential companies begin to push for change, federal regulators and
lawmakers may be more inclined to take note.
Do you have questions regarding the impact of GDPR on your payroll and HR
processes? Contact us today
to learn more about
steps your organization can take for ensuring compliance.
Profitez d'une consultation gratuite sur rendez-vous
Nos conseillers en solutions internationales pourront évaluer avec vous vos problématiques et vous recommander les prochaines étapes à suivre pour atteindre vos objectifs