GDPR will replace the existing Data Protection Directive, bringing with it some drastic changes for companies that work in the UK and EU, and for companies that do business in the region as well. The new regulations mean changes across human resources for all businesses who handle personal data. Personal data, under GDPR, means any information that could identify a person directly or indirectly – this includes birth date, IP address and even a name.
Given the broad nature of GDPR, almost all businesses operating in the EU or UK will need to revise internal practices. The new regulation means changes in privacy notices, consent notifications, breach notifications and more. Companies must notify individuals how long their data will be stored, if it will be moved, as well as allow the individual to access and delete the data under specific conditions. Given the vast amount of new regulations, which will drastically change the way HR functions operate in many companies, executives are trying to get a handle on how to update internal company policies.
Internal policy changes startups should consider or make
Companies must begin to change internal policies now in order to be ready to comply with GDPR standards. Businesses that handle personal data can start by reviewing current practices in order to evaluate risk.
- 1. Audit data processes: Businesses should start by inspecting how data is stored and used. What data is kept? For how long? How is that data used? Is it ever transferred anywhere, specifically outside of the EU or UK? By organising current company practices, businesses can begin the process of becoming GDPR compliant.
- 2. Prepare to communicate: GDPR requires communication on how an individual’s data will be used, so companies should think about how they will communicate that information in an easy-to-digest format.
- 3. Prepare for individual rights: Individuals can request access to their data and even can request that their data be deleted, which means companies need to prepare a standard process for that request.
- 4. Revise privacy notices: GDPR requires that privacy notices are written as follows:
- a. Concise, transparent, intelligible and easily accessible
- b. Written in clear and plain language, particularly if addressed to a child
- c. Free of charge
- Companies should begin revising privacy notices in order to have them ready for the next year.
- 5. Analyse risk and security: Companies should understand where any possible security breaches could take place when it comes to individual data. Organisations must start to implement safeguards now in order to address those security concerns.
GDPR requirements are vague in certain areas, which is why many companies have chosen to bring on a Data Protection Officer (DPO) to ensure compliance.
The role of the Data Protection Officer
GDPR affects almost all departments across a company that stores data. From legal to human resources to marketing, all departments must be ready to comply. Given the complicated nature of GDPR, certain data processors and controllers are required to hire a DPO. Article 37(1) of the GDPR requires the designation of a DPO in three specific cases:
- Where the processing is carried out by a public authority or body
- Where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale
- Where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences
Companies should review GDPR guidelines to understand whether or not a DPO is required. Additionally, GDPR encourages the voluntary hiring of a DPO for companies not specified above.
How a DPO can help with GDPR
A DPO can serve as an internal watchdog in the company, operating outside of management. This person will have to be fluent in GDPR guidelines and prepare to implement them across all departments. Failure to follow GDPR can result in a penalty of up to 4% of the total revenue of the group of companies, making compliance financially sound. Furthermore, GDPR can impose sanctions on companies that fail to comply, barring them from personal data processing.
For companies that choose not to hire a DPO, issues can arise because someone must take control of data practices internally, a large responsibility to add to the plate of the chief data officer (CDO) or chief information officer (CIO). Furthermore, there is a need for a person to have a comprehensive, company-wide overview of the data practices to ensure compliance. This person will have to know everything about the company’s data - what is collected, what is stored, what is moved, who has access etc. The role requires knowledge of security controls and being able to handle a breach of data as well. When all is said and done, this can be a full-time job for one individual, not necessary something that can be piled on a CDO or CIO.
The job of a DPO may begin with making sure a company adheres to GDPR standards, but this role will grow and evolve as more data regulations come into place. Furthermore, once GDPR, which is written in a vague manner, is implemented, companies may find themselves scrambling to change policies, making having one person at the helm of that ship incredibly useful. Whereas once data privacy was pushed to the back of many companies’ priority list, GDPR is forcing it to the forefront, creating the need for a DPO to help organisations navigate the changes.