For those living under a rock for the past year or so, the GDPR is the General Data Protection Regulation (GDPR) that came into effect in May 2018 in the European Union (EU).
It affects any individual, corporation, public authority, agency or other body that processes the personal data of individuals who are in the EU.
We blogged before the GDPR came into effect about how HR and People leaders can be GDPR prepared.
Now, over one year on, what’s happened?
One year on, we know that the GDPR compliance is a continuous effort, rather than a one-off task.
The preparations for getting ready for the GDPR may have been demanding, but that was just the start. It’s about ongoing compliance.
Luxemburg’s National Commission for Data Protection (CNPD) commissioner, Christophe Buschmann, explained that one of the main issues for companies has been keeping pace.
“Either you move with everyone on a continuous basis, or you just don’t get it and you stop acting and the whole world moves forward… Then it will be very hard to catch up again.”
Over the last year, the new regulations have meant significant work for HR and People teams:
According to Bank Info Security, there have been 65,000 data breaches since the regulation came into force, and a total of $63 million in GDPR fines have been imposed.
Under the regulations, companies could potentially be fined up to 4% of their annual global turnover, or €20 million (whichever is greater) for serious offences like not meeting the basic principles for processing.
This includes not having obtained any required consents or breaching an individual’s rights.
Smaller fines of 2% can be applied for failing to keep your records in order, failing to report a breach, or failing to conduct privacy impact assessments where processing is likely to result in a high risk to individuals.
The UK Government has said it wishes to keep an unhindered flow of data between the UK and the EU. However, under the GDPR, data about EU data subjects cannot be processed in the UK without either a data adequacy decision (which is not yet in place and is likely to take at least a year) or additional safeguards being put in place.
There is, however, unlikely to be a GDPR impact on the flow of personal data about UK data subjects from the UK into the EU and back.
Even if the UK leaves the EU in a ‘no-deal’ scenario, UK companies will still need to continue to comply with GDPR rules and follow ICO guidance.
The UK Government have confirmed there will be no immediate change to the UK’s data protection standards.
GDPR would be brought into UK law and the ICO would remain the UK’s independent supervisory authority on data protection.
The right to be forgotten is a vital part of the GDPR. Organizations need to ensure that there’s a consistent policy in place for the thorough identification and deletion of data. That includes:
Hopefully, you’ll never have a data breach but, if you do, you need to be able to act immediately – which means having a clear protocol in place should something happen.
In the EU, companies must notify the relevant supervisory authority within 72 hours of any breach coming to light.
Along with other relevant stakeholders in your organization, decide who should take the lead on investigating breaches.
You should establish who needs to be aware and what they’re expected to do in helping to rectify the breach and notifying the relevant supervisory authority in your region (in the UK’s case, the ICO).
In addition, if the personal data breach triggers high risk for the rights of the individuals affected, then the organization may have to notify these individuals of the breach within a certain timeframe.
The UK’s Information Commissioner’s Office (ICO) is continuing to issue guidance on the GDPR and what it means for organizations. It’s worth registering for updates on their website to stay up to date with the latest developments.
After more info about GDPR for HR? Download our essential eBook with everything you need to know.