Protecting Data Abroad
The countdown is on for the roll-out of new European Union data-protection regulations—which will impact HR operations, among many others, at U.S.-based multinational companies.
The General Data Protection Regulation officially goes into effect May 25, more than two years after it was adopted by the European Parliament and Council of the European Union. The law was designed to strengthen EU’s previous data-protection laws, with a focus on giving EU citizens more control over how their personal data—home and email addresses, banking information—are processed and distributed.
The GDPR doesn’t just apply to operations within the EU, but rather to any entity that does business with individuals living in EU countries—including U.S.-based companies with EU employees—which have just a few months to become compliant, or otherwise face steep fines.
“This is first and foremost for all multi-nationals from now into the next few months,” says Felicia Cheek, senior director, advisory at the Hackett Group.
Among the changes ushered in by GDPR are stricter consent requirements. The new law mandates organizations use clear and plain language to obtain consent from EU citizens to collect their data—and that they be informed how and by whom such data will be processed, as well as given the option to withdraw consent in the future.
Diana Barea, managing director in the talent and organization group of Accenture Strategy, says the consent element of GDPR may prompt HR leaders to re-examine their recruitment and application processes.
For instance, those working with international recruiters will need to revamp protocol for collecting potentially sensitive data from prospective EU employees. Decisions will need to be made about how prospects are informed about the transfer of information from the recruiters to the organization, and how long such data are retained.
“There are so many elements to this that organizations will need to get their heads around and get plans in place,” Barea says.
Instead of relying just on consent, employers can also opt to demonstrate another “lawful basis” for collecting the data. For instance, from an HR lens, a company could demonstrate that the collection of employee banking information for the purpose of payroll fulfills the employee’s contract.
“When we think about the information that’s included as part of the HR ecosystem,” notes Cheek, “it’s employee data from all different sources—not just payroll but some of the basic employee indicative information, some of the benefits information. Every single aspect of our data collection, we have to really review and make sure that we are GDPR-compliant.”
When it comes to payroll, most U.S. multi-nationals use an aggregator model: They will contract with a large payroll company as well as with in-country, local providers, which Cheek notes adds another layer of complexity to GDPR compliance.
“In-country providers will process payroll and then the aggregator—which could be an ADP, a Ceridian, a regional provider—takes all that data and puts it into a common format and feeds it back to the HR system,” she says. “So not only are you working with Company ABC, but your data is also going to the in-country provider and you actually have two processes.”
That approach is going to mean multi-nationals need to re-examine their service-level agreements prior to the GDPR rollout to ensure data-processing language is compliant, says Philip Gordon, shareholder and co-chair of the privacy and background checks practice group at Littler’s Denver office.
GDPR requires certain contract language to be included in all vendor agreements, Gordon says, noting that, as some U.S. multi-nationals work with up to 50 vendors, “Looking at vendor contracting is one aspect of GDPR compliance that has the potential to take the most time.”
The Hackett Group recently surveyed global and regional payroll-processing companies—including those that offer managed services, Software as a Service and both solutions—about their GDPR preparations.
According to preliminary insights from the study, more than 60 percent of respondents said clients can expect modified service-level agreements to accommodate GDPR changes. About half believe GDPR modifications will cause a “moderate amount” of change across their organizations, but not enough to impact service officers or change their pricing structures. About half feel “well-prepared” to guarantee clients that they are compliant with GDPR. Sixty percent of vendors also envision GDPR will cause multi-national clients to take a more active role in selecting in-country providers with which they work.
Other notable changes ushered in by GDPR include new protocol in the event of a data breach, including notification of data-protection regulators within 72 hours; if the breach potentially impacted HR data, affected employees must also be notified immediately if there is a question that an individual’s privacy has been compromised.
Companies that violate any tenets of GDPR could do so at great risk: Regulators can impose fines of up to $25 million or 4 percent of an organization’s global annual turnover.
“This regulation has a big set of teeth attached to it,” Barea says.
However, she notes, companies would be well-served to see GDPR as an opportunity, rather than a potential roadblock.
Just as companies have taken deep dives into data to better serve current and future customers, HR, she says, can use GDPR as an opportunity to become more data-literate.
“It shouldn’t be looked at as something restrictive, but rather something that’s going to send the company on a journey,” she says. “HR can get a broader understanding of the people who work in the organization as well as those they recruited or who didn’t accept an offer by understanding data better. And they can use that to become a better business.”
A multi-disciplinary fact-gathering team, including representation from HR, is the first step to that process, Gordon adds.
“It’s important to get some basic understanding of where the company data is stored and how it flows, both within the organization and outside of it: Which service providers receive the data? Which third-party organizations like pension companies or government agencies receive the data? You have to understand the factors before you can start generating policies and procedures that make sense to the organization.”
Most multi-nationals already have robust data-protection plans in place so many won’t need to start from scratch, but rather will have to focus on “tightening up” their existing framework to become GDPR compliant, Cheek says. “Most companies should already have a lot of this in place to a certain extent so it’s really about going back and putting audit trails in.”