Many viewed the highly anticipated coming into force of the European Union's General Data Protection Regulation (“GDPR”) on May 25, 2018 as the "finish line" for the marathon efforts towards privacy compliance that took place in the months running up to this date. In reality, however, this date should be treated instead as a "starting line" from which to launch mandatory organizational protections for the personal data of individuals in the EU and elsewhere going forward.
Most companies with European operations have spent at least two years preparing for the GPDR. These often extensive ‐ and expensive ‐ efforts were typically led by companies' legal, compliance, IT and security departments, and/or privacy offices, if any, and were supported by outside counsel and privacy consultants. The efforts often prioritized commercial or business data processed by the companies (through the websites, products, business contracts, etc.) instead of the data of employment candidates, employees, and other workers, such as temporary agency workers and independent contractors (collectively, "HR data"). This article will briefly discuss the basic steps organizations were required to implement for the GDPR, but primarily focus on the work that should continue for HR data compliance from this point on.
This ongoing work will typically fall within the ambit of HR professionals and others who are responsible for management of global HR data (or privacy compliance generally). A common frustration with prior GDPR "readiness" efforts is that those charged with leading them often did not have enough insight into the nuances of HR practices and common employee privacy issues, including some of the carve‐outs and exceptions to the general rules that must be applied in the employment context (e.g., the inability to rely on employee consent for most purposes). At the same time, HR managers often suffer from a lack of visibility into the details of broader organizational compliance efforts (e.g., they have been told data transfer agreements are in place but not told which exact purposes such agreements cover). The end result can be gaps in compliance in respect of HR data and HR processes and the lack of a comprehensive plan for ongoing compliance, which in turn can carry the risks of fines, claims, and employee as well as public relations issues.
This was first published in Bloomberg Law.