EUs safety first approach with General Data Protection Regulation
The General Data Protection Regulation that is due to become operational in May 2018. It applies across the European Union (EU) and any country or organization that handles EU data.
Enterprises that sustain cyber breach face substantial penalties and fines of up to 20,000,000 million euros or 4% of the annual global income. Employees comprise the greatest source of vulnerability since they interact with data systems daily.
Therefore, it is paramount to educate employees on how to take care of their devices and basic cyber hygiene.
Employees on the frontline of GDPR
As we approach the implementation of the GDPR, enterprises must seek to understand the practical, structural and cultural adjustments they need to make to comply with the new regulations. How individuals’ data is handled, deleted and shared is being regulated to increase business and public confidence in digital communication. One significant advantage that employers in the EU have is that these rights closely resemble those under the current 1998 Data Protection Act (DPA) which include:
- The right to be informed that involves the obligation to workers to be transparent on how they are going to use personal data.
- The right to suppress or block the processing of personal info and this resembles the one under the DPA
- The right of access that resembles those under the DPA and includes the subject of the access request that has always been popular.
- The right to rectify data that is either incomplete or inaccurate which is also similar to those under the DPA
- The right to be forgotten given particular circumstances
- The right to data portability which is a new law that allows workers to obtain and reuse their personalized data for their own purposes across various services under particular circumstances.
Privacy and Accountability by Design
The concept of accountability is arguably continental and not one that is familiar to the UK and other new member states. The new principle of accountability will require each enterprise to demonstrate that it complies with the data protection principles and state explicitly that it has the responsibility to undertake this process. Therefore, employees will have to put in place appropriate measures that demonstrate their compliance. Some of these internal data protection policies include the review of internal human resource policies, internal audits of all processing activities, and staff training just to name a few.
As an employee, you will also be required to maintain appropriate documentation on all processing activities. The management team can assign this responsibility to a data protection officer if there is the need. You also need to implement measures that will meet the data protection principles by default or by design. Some of them include transparency, pseudonymizing, data minimization. This approach will allow individuals to create and improve security features and monitor processing on an ongoing basis. The employees should also use appropriate data protection impact assessments.
The employer will also have an obligation of providing privacy policies that are transparent, clear and comprehensive. Any firm that has over 250 employees will have to maintain new internal records for its processing activities. This requirement will increase the administrative burden and cost to the employer.
Under the new regulations, employers who are a public authority must appoint Data Protection officers (DPO’s). Employers who systematically monitor individuals on a large scale will also select the DPO. The third category comprises of companies that process specific kinds of data that relate to criminal offenses and conviction on a large scale. The employer can outsource the DPO role, but the person he brings on board must possess expert knowledge of data processing requirements and regulations of the given industry. It should be proportional to the processing the company undertakes while considering the level of data protection required.
As an employer, you must make sure that the DPOs reports to the highest level of management. You should also avail adequate resources that will allow the DPOs to meet the obligations they have under the GDPR act. As a DPO, you operate independently, and no one can dismiss or penalize you for performing your tasks. Some of the specific rights of the Data Protection Officers include the power of insisting on company resources for purposes of data protection. The right to access the data processing operations and personnel and the right to express protection from penalty or dismissal for undertaking their duties.
Outcomes of GDPR
The General Data Protection Regulation that will become operational sometime next year will come with a lot of expectations to the employer. Failure to comply can lead to hefty fines and penalties to the company. The best way forward is for large entities to appoint data protection officers to assist with compliance. However, it’s paramount to understand the rights of the employee and public appertaining to the General Data Protection Regulation.