On May 25, 2018 data security in the European Union (EU) gets an upgrade as new regulations for data protection take effect. HR leaders and TA teams in Europe and globally will feel the impact since the EU General Data Protection Regulation (GDPR) has implications for all businesses that process data of EU citizens. It’s not too soon to talk with your HR tech partners about steps they’re taking to comply with the GDPR.
A primary aim of the GDPR is giving control over personal data back to EU citizens. It also unifies data protection regulation within the EU, making it easier for international businesses to remain in compliance. GDPR extends the scope of EU data protection law to all foreign companies that process data of EU residents, and it has teeth: Non-compliance comes with severe penalties of up to 4% of global revenue. By the May 25 effective date, companies will have had about two years to transition into compliance with the GDPR’s strict standards. If your HR tech vendors do business in the EU, here’s what you should be asking about data privacy in their product design and their data process lifecycle:
Will you meet the GDPR’s May 25th effective date?
Some companies like Montage have been working closely with their EU clients to ensure compliance by the effective date. Find out if your HR tech vendor is ahead of the curve, on track, or likely to suffer penalties which could eventually impact your organization.
What changes are you making in these areas?
- Consent: When and how will you inform each user about their rights regarding the data you collect and use? How will you present the “not to participate” option?
- Right to Erasure: What procedures will be in place for users who want their data erased? Will these require coordination with our organization so that your Right to Erasure procedures do not cause a compliance conflict with data retention regulations?
- Right to Data Portability: How will you respond to users when they request a copy of their data or to transport their data to another provider? What data are they allowed to copy or transfer? Is there a risk of exposing your confidential data?
- Automated Decision-Making: If your technology uses automated decision-making, how will you alert users to this fact? GDPR also require vendors to inform users of their right to question and fight significant decisions that were made solely on an algorithmic basis, so be sure to talk with your partner about this as well.
- Maintenance of Records: How will you change your business processes to comply with GDPR requirements for maintaining records of data processing? At the least, most companies will need to expand their recordkeeping to include purpose(s) of the data processing, categories involved and likely time limits.
Will Employees Be Ready to Participate?
Finally, ask about your HR tech vendor’s plans for employee training. As with any change to internal policies and procedures, training and change management are vital. Talk with your vendor about their plan to ensure their employees understand GDPR requirements and are ready to participate fully in their organization’s efforts to protect user data.