Home > Uncategorized > New proposed EU General Data Protection (Privacy) Regulation – How will it impact Global HR?

New proposed EU General Data Protection (Privacy) Regulation – How will it impact Global HR?

EUflag2On June 15, 2015, the Article 29 Working Party published proposed new EU General Data Protection Regulations addressed to representatives of the Council of the European Union and the European Commission detailing the Working Party’s position on a range of core issues in the Regulation in efforts to ensure the Working Party’s views are taken into account to negotiate and agree on a final test of the revised Regulation later this week with the intent to finalize the Regulation by the end of 2015.

The proposed new Regulation may have broad ramifications for employers that operate both within the EU as well as around the globe including those that operate within the U.S but recruit and employ both Expats as well as local nationals within the European Union.

Key points for employers to consider include:

One Jurisdiction, One Law: In addition to the existing broad territorial scope of the Regulation, the Working Party is of the view that the Regulation should also apply to non-EU processors, where they act on behalf of controllers (such as background screening providers) that are subject to the Regulation (in line with the Parliament’s views on this issue). The Regulation would establish a single, pan-European data protection law replacing the current inconsistent patchwork of national laws. In the future, your company will only have to deal with one law, not 28. Similarly, individuals will only have to deal with their national data protection authority—in their own language—even if their personal data is processed outside their home country.

Enhanced Individual Rights:  Employers will have to inform individuals in a clear and understandable way about the collection, processing and transfer of their personal data. When there are no longer legitimate grounds for retaining data, an individual will be able to ask for the data to be deleted (right to be forgotten).

Right to Know if Hacked: Employers will have to notify the national data protection authority as soon as possible (not later than 72 hours) about data breaches and will also have to notify affected employees without undue delay.

penpaperData Protection Impact Assessment: An assessment will be required when processing is likely to result in a high risk for individuals, such as discrimination, identity theft or fraud, financial loss, damage to reputation, unauthorized reversal of pseudonym techniques or significant economic or social disadvantage. This directly speaks to the employer employee relationship.

Mandatory Data Protection Officers: The Working Party is in favor of imposing a mandatory obligation to appoint a Data Protection Officer upon data controllers, if they meet certain thresholds in terms of the type, volume or nature of the data being processed (although the Working Party has not specified what those thresholds should be). Since employers generally deal with sensitive data it is expected they will fall within this category.

Information Notices: The Working Party supports the use of layered privacy notices, and the proposal that data subjects (candidates/employees) should also be provided with information relating to further processing, data retention periods, international transfers and security measures.

Data Portability: The Working Party supports the proposed broad scope of the right to data portability, and suggests that this right should be separate to the right of access.

Right to Object: The Working Party is of the view that the right of data subjects to object to processing should apply widely, and should not be limited to processing performed on the basis of: (1) the legitimate interests of a data controller; (2) the public interest; or (3) the exercise of an official authority.

Codes of Conduct: The proposed regulation will encourage codes of conduct to be drawn up for specific sectors and for specific needs.

European Rules on European Soil: If your organization is based outside the EU, it will have to apply the same rules and guarantee the same level of protection for personal data when offering services in the European market.

Profiling: The Working Party highlights that the proposals in the Regulation relating to data subject profiling are unclear and do not ensure sufficient safeguards to protect data subjects. The Working Party recommends that the creation of profiles should be limited to particular purposes (although the Working Party does not specify those purposes), and that specific obligations should be imposed on data controllers to inform data subjects of: (1) the relevant profiling measures that will apply to their data; and (2) the right to object.

Risk-Based Approach: While the Working Party does not directly oppose the risk-based approach in general, it considers that risk should not be a determining factor in relation to a controller’s accountability obligations.

Access by Public Authorities: In the event that a court, tribunal or public authority in a non-EU jurisdiction demands access to personal data that are subject to the Regulation, the Working Party recommends that such matters be dealt with under a Mutual Legal Assistance Treaty, where one exists. Where no such treaty is in place, the relevant controller should report the matter to the competent Supervisory Authority. The Working Party’s previous guidance on this point in the context of Binding Corporate Rules (“BCRs”) for processors provides some helpful context.

Binding Corporate Rules: The Working Party considers it essential that BCRs for processors continue to be recognized as a valid mechanism for cross-border data transfers.

Fines: The Working Party welcomes the introduction of significant fines for breaches of the Regulation, and also considers that the imposition of fines where a data controller or processor violates the Regulation as well as fails to cooperate with Supervisory Authorities. In order to effectively enforce the rules, national data protection authorities will be empowered to fine companies that violate EU data protection rules. The fine may be up to €1 million or 2% of the global annual turnover of the offending company.

Aletheia Consulting Group provides expert cost-effective global advisory solutions for multinational organization human resource, compliance, privacy, and security risk management resource needs. Our primary focus is on companies that have overseas operations that seek to navigate the sometimes challenging sea of international risk management involving the people, processes, technology and organization. If you’d like to learn more about our Services for Multinational Employers please feel free to contact us at Terry.Corley@me.com.

Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: