Our people and CSR Outsourcing

21 again: European data privacy legislation comes of age

by Sascha Schneider CIPP/E

I say for “sure”, because a recent study by a major privacy consulting firm revealed that half of the 200 companies it questioned (with the majority being in the US and Europe) were not aware of the GDPR, and of those who were, 18% disagreed in the proclamation that it is “a significant change” in how data will be handled from 2018. It was interesting to see that mid-sized companies with an employee population of 1.000 – 4,999 where the best informed while big (BIG) companies with over 75.000 employees where the least. Am I reading too much into this?! Either way, the GDPR is scheduled to go live on May 25, 2018! The final text in all European languages can be downloaded here.

Will the GDPR affect your HR and Payroll processes?

The compliance team at NGA HR has followed the development of the GDPR closely, as it does with all proposed or actual compliance and legislative reviews. We have picked out the highlights for you to review here.

What is it the GDPR?

The General Data Protection Legislation replaces the EU Directive 95/46/EC, which was enacted in 1995.
To put this time lag into context – and why a significant data legislation is required – here are a few significant milestones from 1995, possibly the year the mass consumer data was born.

1995: Before these data intensive innovators were headline news

  • Mark Zuckerberg, creator of Facebook, the largest social network (i.e. a lot of data) was 11 years old
  • Windows 95 launched, and was to change the face of personal computing
  • Google was still three years away. Little did we know that it would be born to rule the data search and delivery world
  • Cell phones were used only for calls
  • Match.com was launched, one of the first of many personal data driven businesses
  • Amazon sold its first book, long before it became a dominant public data center
  • eBay debuted on the internet

Who needs to be aware?

If you have access to data, if you process data, if you do anything with data, then you need to take account of the following points, because they will impact your business, and your compliance:

  • New accountability regime
  • New Data Protection Authority powers
  • Direct applicability on data controller and data processor
  • Mandatory Data Protection Officers
  • Mandatory Breach Notification
  • Detailed data processing agreements

And the wow factor:

  • Monetary fines of up to €20 Million or 4% of global turnover

Update 2

Chinese walls

Not only in Europe there are changes around data protection. The Hong Kong Information Commissioner has issued guidelines on how HR data should be managed by companies. They have also issued guidelines on employee monitoring and privacy. You can find these here.

Not far away from Hong Kong, China is also in the process of implementing a cybersecurity law. However, China is one of the few (big) countries that does not have a consolidated data privacy law, and. therefore, this can make it somewhat challenging to maneuver in the sea of applicable laws!

Update 3

Coming to America, and back again

The Privacy Shield, the framework that is set to replace the EU-US Safe Harbor agreement (after its invalidation), is still on every body’s minds, or at least it should be on the minds of your legal counsels’ and operations directors’. And, it is looking very like Groundhog Day.

Firstly, the Article 29 Working Party had its rather ‘conservative’ review of the Privacy Shield. The European Parliament then said it didn’t really like it. And, to top this off the European Data Protection Supervisor told us….. that he didn’t like it either! All despite the European Commission signing it off initially.

Why doesn’t the EU like the Privacy Shield?

The main reason is because the US government can access data – whenever and wherever it wants to. Additionally, the US Supreme Court has modified the ‘Federal Rules of Criminal Procedure’, granting law enforcement agencies more access to people’s personal data.

It should be remembered that one of the main reasons Safe Harbor was invalidated in the first place was because of unlimited US government data access, making this move look rather like shooting yourself in the foot?

As a global payroll provider, NGA has service delivery locations in the US and so it is imperative that we stay on top of any updates and changes to the Privacy Shield, and we will make sure that you are the first to know when data transfers to the US are ‘safe’ again!

Disclaimer: This article is intended only as a guide and an information piece on general data privacy updates and is not legal advice. You should always seek independent legal advice for more details.