How GDPR effects non-EU based HR teams
It’s likely that no matter whether an organization works in the EU or not, its heard of the General Data Protection Regulation. GDPR, which was implemented on the 25th May 2018, changes the ways that data is processed, stored, and used by organizations. Although GPDR focuses on the data of EU citizens, it is not limited to EU organizations. Wherever an organization is around the world, if they handle the data of EU citizens they must comply with GDPR laws and legislations.
Businesses that handle the data of EU citizens, but are not based in the EU, can struggle to understand how to put the right processes in place. In light of this, the Payroll Services Alliance hosted a webinar. Titled ‘The Importance of GDPR to non-EU based Organizations’, the webinar gives organizations outside the EU and overview of how to handle GPDR, and examples of what to do if a problem occurs.
Hosted by Sheila M. FitzPatrick, Worldwide General Data Protection Regulation Chief Privacy Officer, Data Privacy & Sovereignty Laws, and Gert Beeckmans, Chief Risk & Security Officer from SD Worx, the webinar discussed global data privacy laws, the ripple effect of GDPR for companies outside the EU, and explored how GDPR will effect HR professionals.
Shelia explained how new technology is driving the need for greater privacy rights, and how there are now heightened concerns by individuals over the collection of personal data. This is causing a lack of trust and transparency when it comes to both the individual as well as organizations around the world, as there is a massive amount of data that is collected by unknown sources.
So, where should organizations outside the EU start when it comes to GDPR? Initially, organizations should ask the following questions: What do your data procedures look like? What is your process for managing data? What do your data privacy notifications look like? As Shelia advises, organizations need processes in place before they look into getting technology. It’s important for organizations to start at the foundations of their data processes when it comes to GDPR, you wouldn’t put the attic on a new house if you didn’t have the foundations set first.
Shelia also explained the ripple effects of GDPR. It has awakened a global recognition of the importance of fundamental right to privacy, but, it has also caused an influx of marketing material that has caused an overload of information, and this has consequently confused some organizations. However, there are some similarities between GDPR and other data laws. For example, the Right to be Forgotten exists in ten countries around the world. Even though there are similarities between other legislations, however, GDPR has an extraterrestrial nature, which causes it to exist outside of the EU too. GDPR isn’t confined to its borders.
Following Shelia’s explanation and advice, Gert gave real-life examples of how GDPR affects organizations outside of the EU. For example, for HR service centers outside the EU, organizations need to ensure an appropriate legal transfer mechanism is in place between all EU based entities, and must review their data breach procedures, ensuring that this is strictly followed.
Another example that Gert ran through was the prospect of how to handle a data breach. In this situation, the organization should inform its Data Protection or Privacy Officer to initiate its own privacy incident.
By understanding the processes that should be in place, an organization and its people (especially the HR and payroll department) will be much better placed to handle incidents that occur.
GDPR might be scary for organizations outside the EU, but by understanding the processes and legislations that have changed, they can ensure that they are compliant, and avoid large fines and, ultimately, brand damage.