There’s a new era in data on the horizon.
The General Data Protection Regulation marks a sea change in our definitions of privacy in the marketplace. Is your team equipped for the journey ahead?
GDPR is an EU-wide policy that gives EU data subjects a huge amount of control over their personal data. It’s a bigger, beefier and more articulate version of the 1995 Data Protection Act. It was passed into law on April 14th, 2016 and goes into effect today, May 25th of 2018.
You've probably heard quite a bit about GDPR fines for noncompliance in the news recently. So what does complying with GDPR mean? What data is protected?
GDPR regulates the collection of what it calls ‘personal data,’ what we might know as ‘personally identifiable information’ (PII) in the States. The DPA already did this extensively, but GDPR expands the definition of ‘personal data’ to include more ‘sensitive’ information.
Under GDPR, personal data constitutes “any information that may lead to an identified or identifiable natural person.” If that sounds broad, that’s because it is.
Sensitive personal data includes:
- Sexual orientation
- Political ideology
- Religious beliefs
- Union membership
- Criminal records
- Judicial proceedings
- Health diagnoses, etc.
- Racial and Ethnic origin
- Genetic Data / Biometric Data
But, I hear you asking, “I don’t ask about my recruits’ love lives or how my customers’ gallbladders are doing. How would I even get this information?”
Great question, imaginary person.
Let’s say you’re onboarding a new programmer named Tom. He’s filling out his emergency contact information. He lists his contact’s name, James, provides contact information and specifies the contact relationship as husband.
Which data is protected under GDPR?
You might’ve said just the contact information, but the entire form is considered personal data under GDPR. Recall that GDPR defines personal data as “any information that MAY lead” to a person’s identification.
If you’re an ill-intentioned data miner or advertiser who buys Tom’s data, you now know that Tom is married and you can reasonably infer his sexual orientation. Both pieces of information can lead to targeted advertising. It’s alarming how such a tiny breach in hiring data protection can compromise someone’s privacy, isn’t it?
While it’s public knowledge that this sort of data misuse is common practice among large tech companies, GDPR’s consent parameters make it far more difficult for Big Data and advertisers to exploit EU data subjects.
Your organization requires GDPR compliance if:
Whose Problem Is It Anyway?
- You have any customers within the European Union.
- You store any personal data within the EU, whether through your own systems or a third party.
- You store any personal data from an EU citizen (data subject), regardless of where that data is warehoused.
- You store any transaction records between you and any organizations within the EU, regardless of where that data is warehoused.
Now, I can hear our American readers echoing the ever-present 8th-grade algebra question, “Do we even need to use this?”
The GDPR designates two main categories of responsible persons in a data privacy query.
There’s the controller, an organization or individual who collects and stores personal data. Controllers are held responsible for designating use of said data, as well as guarding against potential misuse. For example, in the case of any data breach, controllers are responsible for notifying data subjects within 72 hours.
And then there’s the processor, who carries out the intended use of personal data outlined by the controller. The processor must also submit to the above guidelines in order to maintain their processor status under GDPR.
Know Their Rights!
So what are an EU citizen’s data rights under GDPR requirements?
A data subject (the GDPR’s euphemism for ‘consumer’) must be able to easily and completely consent to any data collection by a controller. Therefore, the controller needs to promptly notify data subjects of what data is being collected and why.
In addition to mandated collection awareness and consent, there are six primary data rights that are:
Right to Access
- At any point, an EU data subject may request access to and/or a copy of their data that a controller holds. The controller must accept and process the request “without undue delay.”
- Ex. A customer who consents to your marketing software asks for a copy of the data collected from them.
Right to Rectification
- At any point, a EU data subject has the right to request that a controller or processor change any of their personal data found to be incorrect or incomplete.
- Ex. A construction company has moved offices and request to have their current address updated
Right to Erasure
Right to Restrict Processing
- An EU data subject has the right to have data that might identify them removed and/or deleted from servers of any controller or processor at any time.
- Ex. A former customer switches to a different provider and requests that their data be deleted from your servers.
- The data inaccurately affects the customer
- The processing is found to be unlawful i.e. without the subject’s consent.
- The controller has not demonstrated need for the data and the subject requires it for the establishment of a legal claim.
- An EU data subject has the right to cease the processing of any data by a controller or processor.
- Ex: A customer is wary of your chosen data processor and requests that it cease processing their data.
Right to Portability
Right to Object
- Any data requested by a data subject must be delivered in a “structured, commonly-used and machine-readable format.”
- A subject can request to have that data transmitted to a different controller without any “hindrance”
- Ex: If a customer requests data, it must be easily comprehensible and in a commonly used format (docx, pdf, etc).
- A data subject reserves the right to refuse processing of personal data, including profiling based on collection of personal data.
GDPR Compliance Confirmed
Hopefully, this GDPR overview motivates your organization to develop a compliance strategy if you haven’t already.
(Why haven’t you? Go do that!)
HR Cloud has prepared a slew of ongoing features and policies that places data privacy decisions where they belong: in the hands of our customers.
To learn more, stay tuned for our next blog or
For any lingering questions, please refer to the GDPR text itself, which you can find here.
Want to learn more about HR Cloud? Schedule a free consultation here
Give us a ring toll-free at 310-658-5762.
This post is not a comprehensive representation of EU data policy, nor is it legal advice for your company to use in complying with EU data privacy laws.
Its primary function is to inform you about the steps that HR Cloud has taken to respond to GDPR’s important legal regulations. That’s it.
We are not advising you on any sort of legal action or compliance policy.
If you feel the need to set up a compliance strategy for your own organization, please contact an attorney’s office - preferably one specializing in international data logistics - and confirm that your interpretation of your GDPR responsibilities is accurate.
Once again, you may not rely on this post for legal advice or anything resembling it. This post does not serve as a recommendation or replacement for any action based on a legitimate legal framework.
The products, services, and other capabilities described in this post are not applicable to every situation and access may be restricted.
HR Cloud is a leading developer of HR software & HRMS solutions for small and medium size businesses that have high turnover. HR Cloud's Onboard is market leading technology for effective new hire onboarding and Workmates enables employee engagement simply and easily. Founded in 2012, our HRIS empowers teams to easily onboard new hires, manage employee data, create a company social network and support employee development.