The European Union’s (EU) General Data Protection Regulation (GDPR) represents a major change in the way businesses manage data. In the long run, however, GDPR should help not only individuals but also allow organizations to simplify their legal controls, two ADP experts explained in the online class “GDPR: A New Regulatory Landscape in Europe.”
ADP Chief Privacy Officer, Global Compliance Cécile Georges and Director of Privacy Execution Assurance Julia Matarazzo went through the ins and outs of the new regulation, which will take effect on May 25.
“If your organization does business in the European Union or handles EU residents’ personal data, regardless of whether your business is located in the EU, it is good you are here with us today because the GDPR has a direct impact on how your organization handles this personal data,” Georges said at the outset of the two-day class, which prompted more than 150 questions from its motivated attendees.
Matarazzo led attendees through GDPR’s key concepts, the first of which is personal information or data.
“Personal data means any information related to you, any element of information that identifies you as you, even just your name,” she said. “Some other examples are email, telephone number, social security number, tax ID, bank account information, your gender, race, photograph, and even your IP address.”
Other key GDPR concepts and their definitions are:
- Data Subject—a natural person who can be identified, directly or indirectly, by personal information/data.
- Data Controller—the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
- Data Processor/Subprocessor—a natural or legal person, public authority, agency, or other body that processes personal information/data on behalf of the data controller.
- Data Protection Authority (DPA)—a supervisory authority or an independent public authority that is established by a Member State pursuant to Article 51.
- Standard Model Clauses (Model Contracts)—standard contract clauses provided by the European Commission (EC) which provide adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals.
- Binding Corporate Rules (BCRs)—internal rules adopted by a multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection.
Georges said many of the GDPR’s concepts are not new. She also noted the broad consistency the requirements will bring to the EU.
“Local requirements may still vary a bit, but compared to the current landscape, GDPR will provide much more harmonization across the EU,” she said.
Although companies have had about two years to prepare for the new regulations, many are having to make a late push to put measures in place. Noncompliance can be costly.
“Failure to comply with GDPR can trigger onsite investigations from data protection or supervisory authorities, and the fine can go up to 20 million Euros or 4% of the worldwide revenue of the company, whichever is higher,” Georges said.
In response to a viewer’s question, Georges noted that the GDPR is a more sweeping regulation than anything the United States has in place.
“In the U.S., the protection of data is probably less advanced than it is in Europe, but I wouldn’t say that personal data is not protected in the U.S.,” she said. “It’s just that there’s no unique set of rules as GDPR. That doesn’t exist yet in the U.S. Canada is closer to Europe, considered by the European Union to be providing an adequate level of protection.”
The virtual class also included an overview of the GDPR’s 99 articles, responsibilities of Data Controllers and Data Processors, best practices for implementing GDPR, and more. The class was attended by 1,078 registrations from 45 different countries.
“It is not in place just to protect individuals,” Georges said. “It’s also about giving an opportunity to the business to gain a simpler legal environment around data privacy. The new regulation will introduce more stringent compliance requirements compared to existing European laws, but in the long run it will be beneficial.”
For more resources on GDPR, see the article in this issue of Global Payroll “GPMI Out in Front on GDPR News, Updates.”
Kerry Cole is Senior Editor of Membership Publications for the American Payroll Association and GPMI.