The new General Data Protection Regulation (GDPR), put forth by the European Commission in 2012 and finally agreed upon by the European Parliament and Council in December 2016, is set to replace the Data Protection Directive 95/46/ec. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force by May 25, 2018.
The primary objectives of GDPR is to:
- Create a unified data protection regulation for all 28 European Countries.
- Enhance the level of data protection for EU data subjects.
- Modernize the law in line with existing and emerging technologies.
GDPR has international reach—applying to any organization—no matter where its jurisdiction—that processes the personal data of EU residents or citizens. Fines for non-compliance will increase substantially up to a maximum fine of €20 million or 4% of global annual turnover per incident, whichever is higher.
There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment. Additionally, the GDPR gives individual consumers a private right of action in EU courts, which means they have a right to seek financial damages for any harm caused by the processing of personal data.
HighGround’s Commitment to Data Protection and GDPR Compliance
HighGround is on track to achieve compliance with GDPR requirements before the new EU regulation are enforced in May. Our goals are aligned with the GDPR, namely to respect the rights of our customers and go on to earn their trust. How we can help Human Capital practitioners address these higher expectations around the collection, use and security of personal and confidential employee data is key. We believe HighGround can help you meet those expectations. We have established a Data Privacy Program to continuously ensure compliance with applicable data protection laws. Over the years, we have successfully satisfied customer data protection requirements by demonstrating compliance with the EU Data Protection Directive, and some country-level data protection laws from NA, LATAM, and APAC. HighGround enables global organizations to collaborate more effectively across the globe while safeguarding and protecting employee personal information and privacy.
Accountability Under the GDPR
One of the most significant requirements under the GDPR is the accountability principle. Organizations must be able to demonstrate their GDPR compliance and should therefore consider what types of technical and organizational measures will allow them to meet the accountability principle.
GDPR Article 24 requires Controllers to “implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance” with the GDPR.
HighGround is implementing a number of administrative and technical controls that will help demonstrate its compliance with the GDPR principles, such as:
- Data Protection Impact Assessments
- Encryption at Rest
- Data Management (data rectification, erasure and portability)
- Awareness & Training
- Privacy Compliance Monitoring, Audit and Enforcement
GDPR Key Impacts: Enhanced level of protection for data subjects
- Definition of “Personal Data” now explicitly includes online identifiers (name, photo, email, posts/comments on sites), location (IP addresses) data and biometric/genetic data
- Higher standards for privacy notices and for obtaining consent
- Easier access (correction requests) to personal data by a data subject
- Enhanced right to request the erasure of their personal data
- Right to transfer personal data to another organization (portability)
- Right to object to processing now explicitly includes profiling.
GDPR Key Impacts: Obligations for Data Controllers and Processers
- Operationalization of a Data Protection by Design and by Default Process.
- 72-hour detailed data breach notification obligations.
- Requirement to conduct risk analysis and Data Protection Impact Assessments
- Appointment of Data Protection Officer (DPO), required in certain cases.
- Implementation of technical and organizational security measures appropriate to the risks presented.
- Cross-border data transfers still allowed via the use of EU Model Clauses, Binding Corporate Rules (BCRs) or Privacy Shield.
- Vendor security risks and privacy management.
- Pseudonymization of personal data required for the processing personal data beyond original collection purposes.
Useful GDPR Resources
Below are links to some GDPR resources that may be helpful to you.
We’re offering this information to help organizations understand the GDPR in connection with HighGround’s services. The information contained herein should not be construed as legal advice. Your organization should consult with its own legal counsel regarding its own unique obligations under the GDPR.