GDPR is going global

A year ago, GDPR arrived to varying degrees of enthusiasm. For us as citizens it was great news. It brought the guaranteed levels of security we should expect in a digital world. GDPR, for the first time, clearly presented the importance of privacy as a human right.

For organizations, the GDPR meant a huge overhaul of how, where and why personal data is used. However, the likes of Cambridge Analytica, Facebook, TicketMaster and other big brand data breachers, had pushed our own tolerance levels, and those of the data regulators, to the edge.

Where GDPR is not enough

The expectations of the GDPR are very clear. However, for some countries, the GDPR does not, take the protection of citizen’s data and right to online privacy, far enough. Additional layers of defence have been added.

The introduction of ‘our digital rights’

Last December, the Spanish Data Protection Act, Ley Orgánica de Protección de Datos y de Garantía de Derechos Digitales (LOPDGDD) was published. It applies to all companies operating in Spain but most interesting is the introduction of ‘digital rights’.

This topic itself deserves a blog, but for now, in the shortest possible explanation, LOPDGDD introduces the ‘rights for us to be digital citizen with the same ease at work as at home’.

This means as employees we have the right to:

  • Privacy when using digital devices at work
  • Disconnect outside of contracted hours
  • Privacy in video and audio recording
  • Privacy in geo-location

I think we might agree, some good introductions and a determining factor for organizations to bring their operational cultures up to date. We have at least four generations in our workforces today and it is time to bring the ways we work up to date.

Spain is not alone. In France, the CNIL published two draft standards providing practical guidance in relation to the processing of personal data for HR management and whistleblowing systems. Certainly, to be put on your data compliance watch list.

Germany also has also added protection to the GDPR, suggesting that culturally, we’re not yet ready for a harmonized European, let alone global data protection standard. It is essential, therefore, that you never assume you are acting within the law when moving data across borders.

Other pioneers of data protection in recent times

Ahead of the GDPR, in 2017, China passed its Cyber Security Law. There are an estimated 700 million internet users in China. This is more than in Europe and the USA alone.

The law outlines that companies must have among others, contingency plan for data breaches. Companies must also explain to users the content they’re collecting from them and how this will be used. This said, there are major restriction on internet usage in China and some data can also only be stored in the country.

This is similar in Russia. It has introduced very strict rules and regulations. For example, data must be held in the country Anyone violating the rules faces fines and potentially being blocked internally from accessing the Internet.

The ripple effects of GDPR

 Europe, it seems, has certainly written the blueprint for PII protection and the rest of the world has taken note. We’re seeing similar models to GDPR popping up around the world. This will only continue as employees and customers insist that you provide the evidence that you respect their data.

India already introduced sweeping new data protection regulations last year. In fact, we saw a lot of movement to the protection of data in many of the emerging economies. This is reflected in changes to the 2019 Global Payroll Complexity Index, which will be published at the end of May.

Argentina, Serbia, Jersey, New Zealand and Australia are taking data regulations very seriously. Hong Kong has published a ‘Ethical Accountability Framework’. While not mandatory, it urges businesses in Hong Kong to introduce privacy impact assessments along the lines of the GPDR.

Bosnia & Herzegovina, Ukraine, Montenegro and Monaco are also set to introduce new data protection regulations in 2019, again in line with GDPR. When a non-EU country is deemed to provide an “adequate level of protection” of the personal data records of EU citizens, it is easier to transfer data. This is likely why so many are following the GDPR lead.

Peru and Chile have also made changes, and Indonesia, Kenya and Zimbabwe are also likely to pass comprehensive data protection laws soon.

All change in the Middle East

Changes in Bahrain, scheduled to be applicable as of August 1, are particularly interesting. Bahrain’s ‘Personal Data Protection Law (PDPL) is a huge shift from how business is currently run in the kingdom. For the first time, individuals will have rights over how their personal data can be collected, processed and stored. For businesses, there will be controls over how they secure, manage and process PII data. It is likely that other Middle Eastern countries will follow.

While similar to the GDPR, there are significant differences. If you’re a business operating in Bahrain and have recently implemented a GDPR compliance program, you will need to factor in additional expectations to comply with the following;

  • Individuals normally residing or having a workplace in Bahrain
  • Businesses with a place of business in Bahrain
  • Individuals not normally residing or having a workplace in Bahrain, and businesses not having a place of business in Bahrain, but processing personal data by using means available in Bahrain, unless the use of such processing means are solely for the purpose of passing data through Bahrain without any other purpose
  • In the last point, each business must appoint a local representative in Bahrain to carry out its obligations.
  • Like the GDPR, the PDPL has specific requirements about how consent must be given and has a right to withdraw consent at any time.

Transfers of personal data out of Bahrain will be prohibited unless the transfer is made to a country or region that provides sufficient protection to personal data – similar to the GDPR.

Coming up in 2020

Brazil’s new General Data Protection Law comes into play next February. It gives individuals rights regarding access, ratification, erasure, objection and data portability. Quite what these will mean will have to be determined. Each law has its own interpretation. Malaysia and Switzerland are also expected to pass new regulations in 2020.

Changes in the US

I will only touch briefly on the California Consumer Privacy Act (CCPA) here. Already passed, this becomes law on January 1, 2020. It applies to any business, anywhere, that collects personal information about Californian residents.

There are Ts&Cs, such as the number of PII records a business collects and the annual revenues to determine applicability. There is one certainty, however, the CCPA will require major new compliance processes.

California is not alone. There are several more data reviews going on at a state-level including, Washington and Colorado. Most revisions take influence from the individual rights emphasis of the GDPR. Already, many businesses are voluntarily improving data visibility and controls.

What about the United Kingdom?

This is the million-pound question. What about the United Kingdom?! While the Brexit saga continues, there is an element of certainty for UK businesses. The UK’s Information Commissioners Office (ICO) and the UK government have published guidance in the event of a “no deal” Brexit; the GDPR will be absorbed into UK Law on exit, provided the country is declared as “adequate”.

This will ensure the continued free flow of data between the UK and the EU. My colleague, Sascha Schneider, of NGA HR’s legal team, explains “adequacy” far more eloquently than I can in his recent blog, The ABC of GDPR. For further assurance, the ICO has issued a guidance note on the six steps to take in the event of a no deal Brexit.

What’s next for your business regarding GDPR?

If you’re a business that operations internationally, multiple legislations of the significance of GDPR will make data management challenging, but it is the only option for long-term success.

To address this challenge ourselves, at NGA HR we have applied GDPR level protection across our business. This makes sense for any business where processes are centralized and data is stored, processed and automated in the cloud. The ideal will be a global standard, but as already mentioned, we’re still a long way away from this.

If you have any questions about the adequacy of your HR or payroll data, please do reach out to us and one of our experts will talk to you about this.