The E.U. General Data Protection Regulation (G.D.P.R.) is now officially applied with substantial changes to the current EU data system on protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Thus, in this new major area of risk, all the organisations and each employer are required to adopt significant new technical and organizational measures to ensure compliance with the GDPR.
In particular, the key practical considerations for employers and human resources professionals preparing for the new regime, are analyzed as follows:
- IT – LEGAL AUDIT & GAP ANALYSIS’ CONDUCT
The IT – Legal Audit and Gap analysis conduct, within each organisation, consists an examination of the data processing practices, indicatively including:
- The categories of personal data currently processed by the specific organisation (e.g. payroll data, job applicants’ information, special categories of data etc.),
- With whom the personal data are shared with (e.g. group companies, third party providers etc.),
- In which location and how the personal data are stored (e.g. electronic or paper files, on central cloud-based systems, in local files etc.),
- The performance of automated processing (e.g. during the employee’s recruitment process),
- The duration of personal data storage,
- The possible cross – border transfers of the personal data (outside the European Union) and
- The possible practice’s differences across different business units and countries.
The performance of the aforementioned audit and the conduct of gap analysis assist to identify the key risk areas and the gaps that shall be bridged in order to approach GDPR compliance.
- DATA PROTECTION OFFICER NECESSITY
A Data Protection Officer (DPO) shall be appointed in two main circumstances:
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale and
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
- THIRD PARTY PROCESSORS TERMS’ REVIEW
The GDPR provides detailed and various obligations to ensure that appropriate contractual protections are included in relation to third party processors (e.g. external payroll companies, benefits providers and software suppliers).
In any case, contracts between the controller and any processors should be reviewed and even renegotiated to approach the GDPR compliance.
- PRIVACY NOTICES & POLICIES’ UPDATES
The GDPR defines detailed and various obligations for the information’s provision to the data subjects, when processing of their personal information is carried out, in a concise, accessible and written in clean and plain language way.
Existing privacy notices shall be updated and reissued to cover the mandatory requirements of the GDPR.
- AWARENESS WORKSHOPS’ PERFORMANCE TO STAFF
In addition, each employee needs to be informed, via the performance of awareness workshops, about the duties and responsibilities when processing data on behalf of the specific organisation (e.g. the retention of records, the respond in the event of a data breach and the new data subject rights).
In any case, multinational employers shall be mindful of any country’s specific information and consultation obligations with employee representatives or works councils that may be a prerequisite, in order to approach the GDPR compliance, before amending terms and conditions, staff notices, company policies etc.
- RESTRICTED RELIANCE ON EMPLOYEES’ CONSENT
The GDPR provides that consent will rarely be an acceptable legal basis for processing of employees’ data, due to the dependence on each employer. Thus, employers should consider an alternative legal basis for the processing of the aforementioned information, such as compliance with a legal obligation or the pursuit of his/her legitimate interest.
- DATA SUBJECT RIGHTS’ ENHANCEMENT
The GDPR not only significantly enhances the data subject’s rights (e.g information’s provision, subject’s access, the right to prevent direct marketing, the right to prevent automated decision-making and profiling and the right to have inaccuracies corrected etc.) but also provides new ones (e.g. the right to have information erased – right to be forgotten, the right to data portability).
Thus, organisations shall ensure that they are prepared to respond to the exercise of these rights in due time.
- INTERNATIONAL DATA TRANSFERS’ REVIEW
Multinational employers will continue to face restrictions when they are transferring personal data to countries outside of the European Union, as the GDPR does not change the current framework significantly (e.g. a memorable change is that the GDPR removes the requirement that transfers based on model contractual clauses be notified or approved by local data protection authorities). There is also scope provided by the GDPR for the list of countries that are deemed to have adequate data protection laws to be reviewed and amended in the future.
- AUTOMATED DECISION – MAKING PROCESSES
The GDPR defines that each data subject has the right not to be subject to a decision based solely by automated processing (e.g., auto-shortlisting for roles, performance management software, and employee monitoring) where that decision significantly affects the latter.
In conclusion, it is worth to be noted that, today a new era lies ahead for the protection of our personal data, an era full of enhanced rights but also strict obligations for organisations and employers, in order to comply with the new regime.
Edited by Dimitra Panagidi