To prepare for the European Union’s General Data Protection Regulation (GDPR), which becomes enforceable on May 25, HR departments need to master a new lexicon for managing data privacy. The sweeping new law applies to any organization that offers goods or services to a person in the EU and collects, uses or processes that EU residents’ personal information.
It’s time to start boning up! Here are some of the terms you will encounter as you revise your procedures to meet the new regulation, or will want to be familiar with to stay ahead of the curve as an HR leader.
These terms apply to the organizations or people handling the personal information of EU employees or contractors.
Data Controller – An organization, such as a retailer, researcher or government agency, that decides how and why personal data is collected, used and processed.
Data Processor – A company like a cloud service provider that does not make decisions about the data but follows the instructions of the controller in storing, transmitting, analyzing or processing the data.
Data Protection Officer (DPO) – This is a new role you may need to hire for. The Data Protection Officer is responsible for educating your company on compliance rules, providing training to staff who do data processing, conducting regular security audits and dealing with regulatory authorities. The person who fills the role must have “expert knowledge of data protection law and practices.” He or she can be an employee or an outside contractor but must report to the highest level of management.
Grab a qualified DPO while you can. A study estimates that 28,000 will need to be hired to meet the new requirements.
These terms apply to data subjects’ rights to control their personal information and what you need to do to make sure those rights are honored.
Personal Data – Any information that can be used to identify someone or reveal personal details. Some examples: names, addresses, email addresses, photos, social media posts, bank information, medical information and computer IP addresses.
Consent – Forget about 10-page consent forms filled with impenetrable legal jargon. Forget about making employees click to opt out. To obtain personal data, the GDPR requires you to provide a consent form written in clear, plain language, and be able to demonstrate consent. You must make withdrawing consent just as easy as giving it. Another very important point: you must state the purpose for collecting information.
With the imbalance of power in an employer/employee relationship, you might want to avoid the use of consent and instead, look at a legitimate interest for the lawful basis for collecting employee data.
Right of Access – You must provide employees a copy of their personal data upon request.
Data Portability – The right of EU citizens to obtain a copy in “machine readable format” of any personal data they have provided to the employer, and to transfer it to another organization—including a competitor.
This simple-sounding rule has generated controversy and confusion, in part because it may not apply to data derived from “smart” devices such as a GPS tracker or a wearable health device. Look for clarification in the future. In the meantime, if you get a request for IoT data, consult with your Data Protection Officer before responding.
Right to be Forgotten – Also known as the “Right to Erasure,” this rule stems from European court rulings and requires you to delete employee personal data under any of these circumstances:
- The employee withdraws their consent.
- The data is no longer needed for the purpose you originally specified.
- The data was obtained unlawfully—for example, when the employee was underage.
You must remove any copies of the data and any links to it. If it has been posted online, you must remove the posting. You must stop providing the data to third parties and communicate the erasure request to the third party recipients.
This provision has also caused confusion because employers are legally required to maintain certain types of employee information for specified lengths of time.
Data Breach Notification – If you experience a data breach—an exposure of sensitive personal data, the theft of a device containing personal data or unauthorized access to personal data—you must notify the appropriate regulator within 72 hours of finding out about it.
Sounds pretty straightforward. However, the regulation also says that notifying regulators isn’t necessary if ”the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons.”
What does that mean?
If the consequences of the breach are minimal (i.e. would not result in risk to the data subject), you may not have to notify outside authorities. For example, if a laptop is stolen but the data it contains is encrypted, or if an employee accidentally stumbles upon personal information she wasn’t supposed to see, you don’t have to tell anyone outside your organization.
The rule still leaves room for interpretation. If you’re hit by a denial-of-service attack and employees can’t access their records for a couple of hours, is that something you need to report to authorities?
What about a ransomware attack? You probably need to report it.
And if you report to the regulators and the breach is likely to result in a high risk to the data subjects, you must also notify those affected “without undue delay.”
Over time, examples of required notifications will come to light and provide more clarity. In the meantime, consult your DPO and err on the side of caution.
These terms relate to general concepts and procedures for staying in compliance.
Privacy by Design – This idea has been floating around in Canada and Europe for years, and has finally been codified by the GDPR, which calls it “data protection by design and by default.” It means you should embed privacy into your organization’s everyday activities. Privacy becomes a continuous consideration as processes and technology within the business change.
Binding Corporate Rules (BCR) – These apply to multinational organizations, which must establish internal rules for safely transferring personal data internationally within the corporate group. The rules must be approved by the Information Commissioner’s Office (ICO).
Data Protection Impact Assessment (DPIA) – Anytime you start a new project that requires collecting sensitive employee data, you need to conduct a Data Protection Impact Assessment to identify and mitigate risks prior to beginning the processing of the personal data. You’re not expected to eliminate all risks, but rather to mitigate these risks. A DPIA can be valuable both in preventing problems and demonstrating compliance to authorities.
It’s not clear whether DPIAs apply only to projects that start after the GDPR goes into effect or whether they could also apply to those already in progress. To err on the side of safety, some companies are conducting DPIAs of existing projects they see as high-risk.
Third-Party Risk Management – You are responsible not just for your own stewardship of personal data, but for that of your business partners. You are expected to mitigate risks through contracts and due diligence assessments.
The first step is identifying all partners and third-party contractors you share EU personal data with. Then decide which should be assessed for security and privacy. Amend any contracts that don’t follow GDPR provisions.
This is just a “bare-bones” outline of some of the things you need to know to be prepared for GDPR. To learn more and have your questions answered, sign up for a FREE WEBINAR April 5 with GDPR and cybersecurity expert Lisa Berry-Tayman.
By Lisa Berry-Tayman
Sr. Manager, Privacy & Info Governance at CyberScout Solutions