The European Union (EU) General Data Protection Regulation (GDPR) will go into effect in May 2018. The stringent new privacy rules will affect any businesses (not just European organizations) that hold or use personal data of EU citizens, which means U.S.-based and other organizations will need to take note. Non-compliance with GDPR can result in hefty fines—up to 4 percent of annual revenues or 20 million euros in some cases, whichever is larger.
With less than one year until this new regulation will be a reality, many organizations are still unsure how the new regulation will impact their business, let alone how to best go about complying with it. With the vast amounts of personal information that HR departments manage in forms or job applications, for example, it is critical to learn about the new rules, how they apply, and what steps they can take to address GDPR requirements.
Change Is Coming: GDPR Explained
GDPR is a mammoth regulation. At its core, the regulation aims to unify data protection for individuals, shifting control of personal data back over to the public. In other words, GDPR gives any EU citizen the right to know how any company, regardless of its physical location, is handling their personal data and what personal data of themselves is being managed, how long, and for what purpose.
The new rules also include strict consent and access rights. Organizations must not only be able to prove they obtained permission to store and use data from an individual, but also provide electronic copies of private records on-demand to those who request details on where their data is stored, and for what purpose. What’s more, should a data breach occur, organizations will be required to notify both regulators and consumers within 72 hours.
What’s more, the GDPR is far reaching. Unlike the Data Protection Directive that it replaces, the GDPR applies not only to all businesses that operate in the current 28 EU member countries, but also to all companies that process personal data of EU citizens or work with information relating to EU citizens when providing goods or services. Put simply, any company that has even one EU-based employee or job applicant, and processes (i.e., collects, uses, transfers, or electronically stores) personal data of this citizen will need to comply. Even Great Britain, which is set to leave the EU by 2019 isn’t immune.
Indeed, GDPR could be a huge undertaking for some companies. The sheer scale, breadth and reach of the regulation will no doubt require organizations around the globe to adopt new technologies and processes to help manage the changes. And while software alone will not solve GDPR compliance, modern information management solutions can make the process faster and easier, especially for HR departments that manage the personal data for employees, recruits, and applicants.
Information Management: A Practical Starting Point
To avoid penalties under GDPR, organizations will need to implement new policies and procedures that help ensure personal information collected from EU citizens is protected according to new rules set by the regulation. For example, many organizations today ask applicants to enter their contact information via an online form when applying for a job with their company.
One of the most important ways an information management solution can be utilized to adhere to GDPR requirements is by identifying personal information and then automating the enforcement of rules for how personal data is managed, protected with access control lists, encrypted, and disposed. This can help mitigate the risk of a potential data breaches by establishing parameters that ensure all personal data is protected while also providing an audit trial of all personal information in case of an audit.
Organizations must also be able to provide electronic copies of private records to individuals requesting information on what personal data the organization is processing. Here again, modern information management solutions help address the challenge by allowing organizations to easily search, find and aggregate information that resides in multiple locations, including network folders, applications and other business systems such as customer relationship management (CRM) and enterprise resource planning (ERP) solutions.
Training HR Staff on GDPR Requirements
Under GDPR mandates, organizations will need explicit consent to collect and use personal information if the individual resides in the EU, and this new reality will trigger a change in typical HR processes. HR staff members will have to be educated on the new procedures, and companies will need to prove trained employees are actually following those procedures in the event of an audit.
This is where information management strategies come into play. One of the primary benefits of implementing an information management solutions, particularly from an HR perspective, is that modern solutions come with built-in document templates and workflows that provide an efficient and reliable way for HR to create and track training progress.These systems can not only help create training assignments, but automatically add information to an employee’s record once a training assignment is complete. Or if an employee still needs to complete an assignment, EIM will send automatic reminders to HR, management and the employee via email. The system also allows HR and management to easily view who still needs to complete the assignment.
Information management solutions can serve as a building block for GDPR success. These systems not only enable HR and executive leadership teams to easily create new processes, but also implement and track employee training programs and, perhaps most importantly, enable organizations to more effectively find, manage and protect personal information—all of which are critical to compliance. And with less than a year to go before GDPR takes effect, organizations would be well-severed to put a solution in place now.