No matter where you are, you’ve probably seen some mention of the General Data Protection Regulation (aka GDPR). The aim of the GDPR is to protect all European Union (EU) citizens from privacy and data breaches in an increasingly data-driven world. It’s an extension of a 1995 law from a time when, I think we’d all agree, technology was vastly different.
Some readers might be saying to themselves, “I’m not in the EU so this law doesn’t apply to our organization. I’ll just skip today’s HR Bartender article.” Well, not so fast. The GDPR does have implications for organizations that have customers or employees in the EU, regardless of where your offices are located.
I asked Tom Wetherill, Unum’s head of privacy and financial in the United Kingdom, if he would share some information with us about the GDPR regulations and what it means for HR. Thankfully, he said yes.
Just as a reminder, Tom is offering general information about the new regulation, not legal advice. If you have any specific questions about how GDPR impacts your business, you should contact your friendly neighborhood counsel.
Tom, can you give readers a brief description of GDPR.
[Wetherill] I would describe GDPR as an enhancement of current data and privacy legislation. Essentially, it harmonizes the privacy laws that already existed. An important distinction, though, is the shift from directives that could be translated into law, to a regulation, which requires more-strict adherence to the terms and carries high penalties for non-compliance. It also expands individual’s rights.
If I’m based in the United States, why should I pay attention to GDPR?
[Wetherill] Globally, the European Union is looked to as a leader in data and privacy law, which means other countries and regulatory bodies are likely to move in this direction. Companies looking to ensure they are well-prepared for changes to regulation, and who want to uphold the highest data and privacy standards, would benefit from learning more about the GDPR, its provisions and possible implications.
At Unum, our U.S. teams went through the same processes to map our data, and preparations for the regulation as our U.K. team did. The GDPR does bring new territorial scope to those entities that are situated outside of the European Economic Area (EEA)and offer either goods of services to EU based residents, however, this has minimal impact on Unum Group.
Importantly, too, industries that aren’t regulated would experience a massive change with a similar law because they aren’t required to have systems and controls in place. Consider the implications now and put some processes in place to protect your company and your customers’ information.
Why would this regulation be of particular interest to human resources professionals?
[Wetherill] Human resources professionals should consider how data, particularly personally identified information (PII), is captured, stored and used at key moments for their employees, such as pre-employment data. In the U.K., HR professionals will also need to understand how individual rights have been expanded and timelines reduced and know that we are required to evidence what we do.
For example, employers will be required to more quickly provide personal data records for customers upon request. A concept that would also be of interest to HR employees regardless of geography is data minimization – which in principle means working with no more data than necessary, storing and removing it appropriately and using it for the reason it’s provided.
At Unum, this attention to trends and commitment to integrity means we’ve been preparing for a likely shift in this direction for some time, which will be a benefit to our staff as we prepare for the May implementation date.
Are there consequences if our organization doesn’t comply?
[Wetherill] Yes, there are absolutely consequences. The max penalty is 4 percent of profit for non-compliance, but the details depend on the company size and other variables. Equally damaging would be reputational risk of not complying or of suffering a data breach after having failed to take the required protocol and steps to prevent one.
Is this an opportunity for HR to partner with their Marketing department in developing a policy? Why or why not?
[Wetherill] Many of the policy implementation will rest in operations and legal, but human resources would be wise to work with marketing to ensure policies – new and existing – are clear to employees and customers alike. Likewise, it could be an opportunity to provide customers helpful resources, materials and answers to the top questions coming from the market.
Last question: When faced with implementing a huge regulation (like GDPR), what are 2-3 things that organizations should keep in mind?
[Wetherill] I mentioned earlier the preparations that the Unum UK and U.S. teams have done. Some of the things we kept in mind:
- Support from every level of the business. There should be a commitment from leadership down to ensure laws like this are a top priority and that compliance is encouraged throughout the organization.
- Understanding of your business and culture. You’ll need to understand the inner- workings of your operations, then undertake projects with a mind to be both comprehensive and proportionate. Look at everything but build controls and processes for the most important variables and enhance existing ones rather than ‘re-invent the wheel.’
- Constantly monitor and anticipate change. Stay on top of trends and keep stakeholders informed so that by the time an implementation date arrives, you are well prepared to meet the requirements.
I want to thank Tom and the team at Unum for sharing their knowledge on this subject. I’m confident we are going to hear more about GDPR in the months to come. And if you have a moment, be sure to check out Unum’s WorkWell blog. It’s filled with articles that you can share with employees about health, wellness, careers, etc.
Image found on EU General Data Protection Regulation3