Commonly known as the GDPR, the EU General Data Protection Regulation requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.
GDPR aims to protect all EU citizens from privacy and data breaches in an increasingly data-driven world.
The GDPR applies to all organizations that collect the data of people who live in the EU, regardless of the organization’s physical location. That means the GDPR impacts organizations across the globe, and the penalties can reach up to 4 percent of the global revenue of the parent company or 20 million euros, whichever is higher. Enforcement begins on May 25, 2018.
The regulation requires privacy by design, which means that a data system needs to include data protection from the start, rather than as an addition. Organizations must only hold and process the data that is absolutely necessary, and limit access to that data to those who need to process it.
The GDPR also requires consent and provides the people whose data is collected with the right to confirmation as to whether or not their personal information is being processed, where it is being processed and for what purpose. If the person requests, the organization also needs to provide a copy of the personal data, free of charge, in an electronic format. The person has the right to give that data to another organization.
Additionally, the GDPR includes the right to be forgotten, also known as data erasure, which entitles the person whose data was collected to have the organization erase the data, cease any dissemination of the data and potentially halt a third party’s processing of that data.
The regulation requires organizations to notify the people whose data they collect within 72 hours of first becoming aware of a data break that is likely to “result in a risk for the rights and freedoms of individuals.”
Organizations that collect data previously had to notify local data protection advisors about their data processing activities. Under the GDPR, data collecting organizations will not be required to submit those notifications or registrations, but they will need to meet internal recordkeeping requirements, and some organizations will need to appoint data protection officers.
Compliance Corner is a feature on the PeopleScout blog. At least once a month, we’ll be featuring a compliance issue that’s in the news or on our minds. Understanding the patchwork of labor laws across the world is complicated, but it’s part of what we do best. If you have questions on the compliance issue discussed in this post, please reach out to your PeopleScout account team or contact us at firstname.lastname@example.org.