On 25 May 2018, the General Data Protection Regulation will come into effect, and overhaul the EU’s data protection landscape. The GDPR is a significant legislative action which builds on the existing Data Protection Directive (1995): in practice, it promises to harmonise data security and online privacy laws, and provide enhanced clarity and accountability on a Europe-wide scale. As we previously reported, the regulation has particular relevance to payroll and HR processes, since it will affect what kind of data can be held, how it is used, and who it can be accessed by.
The GDPR will affect all EU residents and businesses. Although Brexit negotiations will be in full-swing in 2018, UK employers must remain in compliance with the GDPR - which will in theory make it easier for member-state organisations to do business with each other. For organisations not compliant with the new data rules, authorities have the power to impose substantial fines - of up to 2% of gross global earnings.
Terminology and Principles
To avoid those kind of compliance penalties, businesses across Europe need to adjust to the new legislative environment created by the GDPR. This environment is founded on a set of principles - each of which relates to the GDPR’s philosophy and mission.
Understanding the principles of the GDPR means understanding what is meant by the specialised terminology it employs - which this article now presents in plain language, to help make the legislation more accessible:
GDPR Key Terminology & Definitions:
Data Subject: An identified, or identifiable, person - you, for example, could be a data subject.
Personal Data: Information belonging to a data subject which could be used to identify them - for example, date of birth or national insurance number.
Sensitive Data: Specific types of personal data are considered ‘sensitive’. These might include medical or genetic data.
Data Controller: The entity which decides what happens to data, and how it will happen.
Data processor: The Data Processor handles and processes data, based on instructions from the Data Controller.
The 6 Principles
With those terms established and understood, the 6 data principles of the GDPR can be examined:
1. Lawfulness, Fairness, and Transparency
“Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject”
Meaning: The GDPR states that data must NOT be used for criminal purposes. Furthermore, the data subject has a right to know what data is being collected - and how it is being used.
Payroll practice: From an outsourced payroll perspective, the GDPR will require our customers to inform their employees of the data being collected for the purposes of calculating payroll, and that activpayroll is their chosen data processor.
2. Purpose Limitation
“Personal data shall be collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes”
Meaning: Under GDPR rules, data must ONLY be used in the manner described by the data controller.
Payroll practice: activpayroll must only use the data we receive from our customers to calculate, process and report on payroll.
3. Data Minimisation
“Personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.”
Meaning: Data collected from a data subject should ONLY be that which is needed for the specified job it is intended to do.
Payroll practice: activpayroll must only collect the data we need to process payroll accurately and efficiently - and remain legislatively compliant with the territories in which we operate.
“Personal data shall be accurate and, where necessary, kept up to date”
Meaning: Data collected and used by the data controller should be correct and current.
Payroll practice: To ensure the accuracy of the data we collect, activpayroll will receive regular updates from our customers’ internal systems - or directly from employers.
5. Storage Limitation
“Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”
Meaning: Data collected and used should be kept by the Data Controller in an appropriate manner - for as short a period as possible.
Payroll practice: activpayroll must ensure that the data we hold is encrypted wherever possible, and securely destroyed when it is no longer required.
6. Integrity and Confidentiality
“Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.”
Meaning: Any personal data collected must be held securely, and in a manner which protects it from BOTH deliberate and accidental misuse.
In practice: All data held by activpayroll must only be accessible, to personnel with a legitimate business need to do so. That data must also be backed up appropriately.
Enhancing Protection & Accountability
Many UK readers will recognise the similarity of the GDPR’s principles with the existing UK Data Protection Act. Crucially, the GDPR expands and clarifies certain shared concepts such as accountability, ownership, and visibility, in a way which provides Data Subjects with additional rights. Importantly, the GDPR brings specific clarity to the notion of ‘accountability’ for data in two key ways:
1. The Data Controller is not only responsible for compliance but MUST be able to DEMONSTRATE compliance.
2. BOTH the Data Controller and the Data Processor are LIABLE for any compliance failures.
The joint liability introduced by the GDPR means businesses must pay renewed attention to their own compliance standards. Businesses can prepare for the new legislation in a variety of ways - but it is important to remember that with the deadline looming, unexpected challenges may hinder vital compliance steps.