Since the late 1980s privacy legislation has been a compliance concern for global HR leaders. The legislation established standards to protect sensitive, personal information. Sensitive information includes employee names, addresses, identification/registration numbers, phone and email contact information, number of children, names of spouses, etc. Privacy legislation seeks to give the control of this sensitive, personal information, about an employee for example, to the employee. Legislation also typically includes the way in which companies can make legal use of their employee information, for example, sending employee data files back and forth across country borders.
Particularly in Europe, privacy legislation has gone through several iterations of compliance requirements, the latest of which is the General Data Protection Regulation (GDPR), effective May 25, 2018. Companies must comply with the GDPR, and implement the new rules specifying how the employer must collect, store, and use employee information. This legislation covers all employers with employees in Europe, even if the employer is located outside of Europe, for example, an American headquartered company with an employee in Germany, for example.
Features of this legislation include:
- Employers must obtain consent from employees for the access and use of their personal data.
- Significant fines and penalties result from non-compliance.
- Employers must document their compliance and establish processes to manage the information.
We recommend the following:
- A Global Data Protection officer be appointed to manage the Data Protection legislation requirements. Company leadership and management personnel should be made aware of the legislation and the compliance requirements.
- Review the UK’s Information Commissioner’s Office (ICO) “Preparing for the General Data Protection Legislation-12 steps to take now” document available here: https://ico.org.uk/ This document will help orient you to the EU data privacy directive. Determine what data protection steps you are currently taking.
- An outline of requirements for each country in which the organization does business or has employees should be produced.
- The company should identify the employee data and information that is being collected, the organizations or individuals with whom that data is being shared, and what actions are currently being done to that data.
- Review the US privacy shield website at: https://www.privacyshield.gov/welcome. The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. However, it is important to remember that if the company to which you send data is not certified, using the Privacy Shield will not be compliant.
- Establish a compliance program to ensure the company meets all data protection requirements. Ensure the information is communicated to managers. Ensure an audit process is established to review compliance on a regular basis.
If this is a bit overwhelming, we would be happy to take over the process for you and get it up and running. As a global VPHR, I’ve worked with the architects of corporate compliance since the late 1980s. It is no more difficult to implement than other compliance programs, but it is complex. Give us a call at (914) 218-3149 if you would like us to help you with the program.