On Friday, May 25 2018, the European Union’s General Data Protection Regulation (GDPR) officially takes effect. The GDPR, put forth by the European Commission in 2012 and finally agreed upon by the European Parliament and Council in December 2016, is set to replace the Data Protection Directive 95/46/ec. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors.
The primary objectives of GDPR are to:
- Create a unified data protection regulation for all 28 European Countries.
- Enhance the level of data protection for EU data subjects.
- Modernize the law in line with existing and emerging technologies.
GDPR has international reach—applying to any organization—no matter where its jurisdiction—that processes the personal data of EU residents or citizens. Fines for non-compliance increase substantially, up to a maximum fine of €20 million or 4% of global annual turnover per incident, whichever is higher.
There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment. Additionally, the GDPR gives individual consumers a private right of action in EU courts, which means they have a right to seek financial damages for any harm caused by the processing of personal data.
HighGround’s Commitment to Data Protection and GDPR Compliance
HighGround has achieved compliance with GDPR requirements and is committed to supporting your GDPR compliance efforts by May 25th 2018 and beyond. Our principles are aligned with the GDPR, namely to earn the trust and respect the rights of our customers. How we help Human Capital practitioners address these higher expectations around the collection, use and security of personal and confidential employee data is key. HighGround can help you meet those expectations. We have established a Data Privacy Program to continuously ensure compliance with applicable data protection laws. Over the years, we have successfully satisfied customer data protection requirements by demonstrating compliance with the EU Data Protection Directive, and some country-level data protection laws from NA, LATAM, and APAC. HighGround enables global organizations to collaborate more effectively across the globe while safeguarding and protecting employee personal information and privacy. Our new Privacy Statement is designed to be clearer and more transparent. You can read the new privacy statement here.
Accountability Under the GDPR
One of the most significant requirements under the GDPR is the accountability principle. Organizations must be able to demonstrate their GDPR compliance and should therefore consider what types of technical and organizational measures will allow them to meet the accountability principle.
GDPR Article 24 requires Controllers to “implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance” with the GDPR.
HighGround has implemented a number of administrative, physical and technical controls that demonstrate our compliance with the GDPR principles, such as:
- Contractual addendums to ensure that all our suppliers continue to apply the same high standards on data protection
- Adoption of process for Data Protection Impact Assessments
- Encryption at Rest
- Data Management (data rectification, erasure and portability)
- Awareness & Training
- Privacy Compliance Monitoring, Audit and Enforcement
GDPR Key Impacts: Enhanced level of protection for data subjects
- Definition of “Personal Data” now explicitly includes online identifiers (name, photo, email, posts/comments on sites), location (IP addresses) data and biometric/genetic data
- Higher standards for privacy notices and for obtaining consent
- Easier access (correction requests) to personal data by a data subject
- Enhanced right to request the erasure of their personal data
- Right to transfer personal data to another organization (portability)
- Right to object to processing now explicitly includes profiling.
GDPR Key Impacts: Obligations for Data Controllers and Processers
- Operationalization of a Data Protection by Design and by Default Process.
- 72-hour detailed data breach notification obligations.
- Requirement to conduct risk analysis and Data Protection Impact Assessments (DPIA).
- Appointment of Data Protection Officer (DPO), required in certain cases.
- Implementation of technical and organizational security measures appropriate to the risks presented.
- Cross-border data transfers still allowed via the use of EU Model Clauses, Binding Corporate Rules (BCRs) or Privacy Shield.
- Vendor security risks and privacy management.
- Pseudonymization of personal data required for the processing personal data beyond original collection purposes.
Any GDPR related questions and any data subject requests can be addressed to HighGround’s Privacy team at firstname.lastname@example.org