The Impact of GDPR on Talent Mobility
The General Data Protection Regulation (GDPR) is recognized as the most important change to data privacy regulation in the European Union for the last 20 years. On May 25, 2018, the GDPR will come into effect and all non-compliant organizations may face heavy fines. This Insights article offers detailed information about the GDPR, main principles to keep in mind and support clients can expect to ensure data security.
Data Privacy: Past & Present
When the GDPR takes effect in May this year it will replace the data protection directive, which passed in 1995. The directive was the European Union’s answer to the diverse set of privacy regulations across the EU, harmonizing data privacy laws across Europe. Its primary purpose was to protect all EU citizens’ data privacy and reshape the way organizations across the region approached data privacy. However, it was still a directive, not legislation, which left some room for interpretation during the transposition of the directive into individual national law.
This fact, along with today’s rapidly changing data landscape, reinforced the need for another update, which led to the development of the GDPR. As a regulation, the GDPR will become an immediately enforceable law in all European Union member states.
The Main Principles of the GDPR
Many of the main principles on privacy remain from the previous directive; however, social media and cloud storage were not a reality in 1995. Modern technology was a large influencer in developing the regulation. The GDPR will update the standard to fit today’s technology, while also remaining general to protect the fundamental rights of individuals throughout future waves of innovation.
The following are five important elements of the GDPR:
- The definition of personal data has expanded, encompassing any information related to a natural person, or ‘data subject’, used to directly or indirectly identify a person. It can be anything from a name, a photo, an email address, bank details, and posts on social networking websites, medical information, or a computer IP address.
- Under the GDPR data must be “adequate, relevant, and limited to what is necessary.” Organizations must ensure that they collect only the data they need for each specific purpose of processing. Meaning, data can only be collected for a specific reason.
- The “right to be forgotten”, or data erasure, entitles the data subject to have control over their information. Under the GDPR, organizations cannot retain personal data for a period longer than legitimately necessary. This includes data that is no longer relevant to original purposes for processing, or a data subject withdrawing their consent.
- Organizations that have operations, which monitor data subjects on a large scale, are required to appoint a Data Protection Officer (DPO). The DPO must, among others:
- Have expert knowledge on data protection law and practices
- Must report directly to the highest level of management, e.g. Chief Executive Officer (CEO)
- Notification by controllers to the supervisory authority of certain data breaches will be mandatory within 72 hours of breach awareness. Data processors will be required to notify their customers “without undue delay” after first becoming aware of a data breach.
What impact will GDPR have on the U.K. when it exits the European Union?
The British government supported the GDPR upon approval in April 2016, and before the country voted to terminate its EU membership. On May 25th 2018, when the GDPR will go into effect, the U.K. will still be an EU member, and will therefore be subject to the rules and regulation put forth by the legislation. Moreover, the British government has already proposed a new Data Protection Bill that will enshrine the basics of the GDPR in British law.
Nevertheless, the scope of GDPR extends to all companies holding data on EU citizens, regardless of where the business is based. This means that continued compliance with these rules is essential, if U.K. companies wish to carry on trading legally in Europe, even post-Brexit.
Ensuring Continuity of Service and Compliance
BGRS is committed to keeping personal information accurate, secure, and private. BGRS continues to align and implement our security controls with ISO 27001 to ensure consistency with industry recognized practices and processes. The GDPR will affect BGRS supplier contracts, client contracts, as well as mandating many complex updates to policies throughout the business. The following are just some of the steps clients should expect from their service providers:
- Amending all existing supplier agreements to mandate compliance with all GDPR requirements
- Cooperating with all client requests to update data protection provisions in client agreements
- Compiling detailed personal data and subprocessor inventories
- Updating all relevant policies
- Completing a thorough review of all systems used to process personal data and making all necessary enhancements