On the 25th of May 2018, the General Data Protection Regulation (GDPR) began enforcement on regulations that were deliberated for more than four years, and officially enacted in April 2016. The primary aim of the new regulations was to return control of Personally Identifiable (PI) data to the individual and simplifying the legislation surrounding data management and processing. It also governs the export of data outside the European Union (EU) and European Economic Area (EEA). Unlike preceding acts, GDPR applies to all companies, even if they maintain no physical presence in the European Union (EU), who process the data of any EU citizen or conduct business within the EEA.
Since its introduction, GDPR has been the focus of intense scrutiny across all industries, perhaps unsurprising given the unprecedented scale of the fines and enforcement announced as part of the regulation. The expectation is that this will continue as GDPR continues to be refined in line with ever faster global communications and bulk data processing. Cross-industry focus groups, especially in the EMEA global region, have been sharing compliance best practices and beginning to speculate on what the next phase of GDPR will entail and its subsequent business impacts. From focus groups to dedicated GDPR global conferences, this pan-industry focus underscores the importance of GDPR and the dramatic impact it has had on the global business landscape.
As we move into the second year of GDPR, we expect to see greater numbers of penalties and fines as more companies are reported and investigated. An article by FCPA, titled GDPR Enforcement Report (May 2019) references four major cases where companies have been fined between $5,400 up to $56 million within the last year for non-compliance to GDPR. While the actual number of enforcement cases is still relatively low, the Report also states that
Fines will be administered by individual member state supervisory authorities, utilizing the following 10 criteria to determine the amount of the fine on a non-compliant firm:
A rather startling realization from the wider rollout of GDRP has been the challenges faced with becoming compliant initially, then retaining compliance. Ongoing compliance has shown that in order to keep pace with both the requirements of GDPR and maintain a proactive approach to the protection of personal data, a state of vigilance is needed; embedded into the culture of how companies operating in 2019 approach data from day zero. While the assignment of a Data Protection Officer is now required for companies of a certain size, the wider impact is seen across personnel and operational arenas – with cyber-security and GDPR compliance now warranting their own specialist staff. This in turn represents a potentially large operational cost impact which companies will now have to take on at the risk of being fined for GDPR breaches – although worth it when compared to the cost of the fines, and the possible loss of business. Arguably, data security is now being viewed more widely as a specialist discipline which needs to be invested in and developed the same way as any other core business function such as Human Resources or Finance. Specialist data protection and security awareness courses are appearing across many industries, but the skillsets will take time to disseminate across the wider business environment. This marks a significant mindset shift away from previous data protection legislation which had been, in some cases, viewed more as a ‘tick box’ exercise as opposed to an ingrained function.
However, the challenge for all industries will be in keeping GDPR in focus as time moves on. With a relatively gentle start to GDPR, the major enforcement actions have made significant headlines and forced GDPR back into the collective business mindset. It is expected that the enforcement will need to continue to be widely published to ensure the consequences of failure to meet GDPR obligations are both real and tangible for companies of all sizes; something certain opinion points have suggested is behind the security placed on major technology and data processors such as Google and Facebook. Unquestionably it has demonstrated that the consequences can be made tangible for groups of that size and as such, can apply to anyone. As 2019 progresses, the expectation is to see further enforcement action taken and well- documented, with rising awareness of GDPR being reflected in the fundamental manner under which companies process data and engage in business within the EU.
One clear area that we do see growing from GDPR is the level to which it has resonated internationally; inspiring worldwide legislation aimed at protecting the same basic rights in line with local laws and prevailing conditions. (See examples in the section below). With many varying legislations rising which share intent but with different thresholds for compliance, local legislative expertise is key – either in-country partners or local offices – to educate and advise on prevailing local conditions and ensure that compliance is maintained.
It is apparent that enforcement of GDPR will continue, so first, if you are not compliant, get there. While fines and penalties are certainly of great concern, companies also need to recognize that non-compliance could also impact customer trust, and therefore overall business growth or decline. So far, apart from some large cases, authorities have been relatively lenient, issuing warnings in some cases and allowing the company to get into compliance. But as time goes on, there will be a greater expectation that companies have already taken the appropriate actions to ensure compliance, and the authorities will likely not be as lenient. What will that do to your business? If your organization has not been compliant with the regulations and is fined for not doing so, your customers are likely to pull their business while you get your company up to speed. This could have a serious impact on your bottom-line and therefore your entire organization.
As enforcements occur, however slowly, they will set precedents for future decisions by regulators who were hesitant to penalize or fine an organization. Moving forward, we should expect to see these regulators become more confident in their decisions to enforce the GDPR regulations.
Companies will need to engage more with their data through governance and data mapping practices to be more aware of what data they store and process. If the data is not essential to the work being performed, the data must be anonymized, and this was not the case prior to GDPR. In addition to ensuring compliance, there is an ethical standard to follow these regulations in order to keep the data secure.
It’s important to remember that GDPR is not the first privacy law to be in effect, and so we should not expect it to be the last. In fact, more than 80 countries around the world have developed or enacted privacy laws, in addition to certain smaller territories like US states. For example, the California Consumer Privacy Act of 2018 (CCPA) goes into effect on the first day of 2020, and GDPR compliance will not be enough. Some ways that the CCPA will differ for companies who store or process data on California residents are:
Brazil is enacting their own General Protection Law (LGPD) on August 15, 2020. Passed by The National Congress of Brazil on August 1, 2018, the legislation puts new restrictions on the use of data processed or stored on Brazil residents. We also know that the EU is updating its ePrivacy regulations related to elements such as the consent for cookie use and the treatment of electronic communications, including internet-based voice and messaging apps.
We’ve discussed the purpose of GDPR and how its enforcement is impacting organizations, as well as what we expect to see over the coming years. Based on the number of complaints the authorities are receiving, it’s obvious that there are still many organizations that may not be fully compliant with GDPR yet. If that’s the case for your organization, your company is at significant risk of penalties and fines related to non-compliance. See below for some quick tips to help you get, and stay, compliant.
In the payroll field, it’s essential we think about all the forms of PII we receive and handle. From the interview process to hiring, and through promotions or moves, all the way to when the person leaves the organization, we are collecting data. Any and all of that data falls under the GDPR regulations and is data that an employee could request to see – at any time. We must treat the data like we would want our data treated – with the utmost care and security.
What sets us apart? Here are four key areas of focus that have enabled us to become the world’s leading cloud-based payroll services company.