Implementation of the new data protection regulations: A practical guide
In a time in which sensitive personal data are primarily managed digitally, HR departments and recruitment consultants are placing a strong focus on the topic of data protection. The European Union Data Protection Amendments (EU-DSGVO) will apply from May 2018. From then on, the 28 EU member states will be obliged to take the new regulations into account. What you should know.
Data protection: More transparency for the user
The Data Protection Amendments (EU-DSGVO) are designed to provide more transparency for EU citizens: How do companies deal with their personal data? The change in the law affects HR departments and personnel consultants in particular. In both cases, the management of digitalised, personal data is ultimately part of everyday business. This does not present a problem provided that HR departments and personnel consultants take the new law into account. First, the good news: The new regulations do not only concern additional work. It also contributes to reducing bureaucracy. There will no longer be an obligation to report for companies processing personal data, which reduces the administrative procedures associated with it.
The main points of the amendment to the law at a glance
Other important points on the amendment to the law in a nutshell:
- The same data protection rules apply throughout the EU. This means increased responsibility and liability for all companies and departments processing personal data.
- The right to be forgotten: If users request that their data not be processed further, it must be deleted within one month.
- If personal data is to be processed, users must actively opt in; they currently have to actively opt out.
- Users have a right to transparency – they may submit a request to find out what data has been collected and how it is processed.
- Part of the DSGVO involves companies creating a data register. This must include the following: Processing target, passing data on to a third country, a general description of the technical and organisational measures, and the contact details of those responsible.
- Companies must make a data protection statement available to explain what they are doing with the personal data. They must inform people of their rights. This includes the option of amending, viewing or deleting data.
- In the event of a loss of data, companies and organisations must normally meet their official reporting obligation within 72 hours, but at least as quickly as possible.
- Companies only have to deal with a single supervisory authority, namely the one where they have their headquarters.
- The EU regulations also apply to companies not based in the EU as soon as they offer goods or services in the EU or even if they only offer online market research to EU citizens.
- National data protection authorities are strengthened in terms of their core competencies, meaning that they will be able to better implement the new EU regulations. For example, they will be able to prohibit individual companies from processing data.
Severe penalties for breaches of privacy
The penalties for violating data protection regulations are now much more severe than before. Where a maximum penalty of € 900,000 currently applies, from May 2018 the penalty could amount to € 20 million or 4% of the current annual turnover. This is made all the more problematic by the fact that many SMEs are seemingly not yet taking the issue as seriously as they should, as a study by Veritas Technologies, a market leader in information management, notes. They maintain that only two percent of the companies asked are prepared for the new data protection regulations. There are issues especially when it comes to dealing with breaches of privacy. Most companies cannot guarantee that they can report the loss of personal data within the prescribed deadline. In addition, not every company is able to implement the “right to be forgotten”, whereby users can demand a total deletion of their data.
What should companies do now?
Time is running out! What can companies do in the months left before the EU-DSGVO enters into force? Legislators are providing assistance in terms of risk assessment. It requires a Privacy Impact Assessment, or PIA for short, which involves investigating the following processes:
- does the company’s website include a data protection statement specifying why data may be requested, which third parties may receive this data and for how long it will be processed?
- Does the company obtain explicit consent from the person whose data they are requesting?
- Are measures taken to ensure that only authorised persons are able to have access to personal data?
- Is there a person responsible for data protection in the company?
- Does the company have guidelines for retaining, destroying or anonymising personal data?
- Is the company able to immediately delete candidate data when asked?
- Can the company give people a full overview of the data they are holding that pertains to them?
The results of the assessment provide an immediate reference base for optimising in-house processes and systems relating to compliance requirements. If you would like further information on handling these issues, we recommend our whitepaper on the GDPR: Focus on protecting your data!