If your business handles the personal information of customers or employees in the European Union, it’s important to be prepared for the General Data Protection Regulation (GDPR), which takes effect next May. This new set of laws replaces a much weaker and narrower directive from 1995, when the internet was just born and used by only 1 percent of the European population. The GDPR aims to protect the privacy and security of people living in the EU by regulating the way that their personal data is stored, processed, and shared. It is enforceable in all 28 member states, and the UK’s decision to leave the EU will not deter its implementation there.
Whom does the GDPR affect?
The GDPR applies to all companies operating in the EU, as well as to companies in other countries that market goods and services to EU customers or hire EU employees. In general, anyone who stores, processes, shares, or in any way works with personal data about EU individuals, including HR and payroll professionals, will be impacted by the new rules.
What information does the GDPR apply to?
The GDPR expands the definition of personal data to include any information that can be used to identify a person either directly or indirectly, such as a name, birthdate, ID number, contact info, payment details, and even an online identifier like an IP address. Anything that reveals aspects of a person’s physical, mental, financial, or cultural identity is subject to protection. Both digital and manual filing systems must comply with the GDPR.
How do businesses comply with the GDPR?
Rather than relying on a regulatory agency to enforce compliance, businesses will have to police themselves by completing self-assessments. They must also ensure that their partners, vendors, consultants, and suppliers follow the rules too. When asking for customer or employee consent to collect data, businesses need to be more transparent and explicit than before. And it must be just as easy for individuals to revoke their consent as it was for them to give it.
These stricter requirements can seem overwhelming, especially to owners of SMEs, so consider seeking help from a vendor who can take some the pressure off. For example, if you oversee an international payroll, money transfer providers like World First (read our review) would simplify the process by letting you make multiple currency payments from a single account with fair and transparent foreign exchange rates. They can do the heavy lifting when it comes to GDPR compliance so you can be confident that you’re following the rules. Use our comparison tool to find the best international money transfer provider for your needs.
What are the penalties for noncompliance?
Just as regulations will be consistent across EU members, so are penalties. Companies can be fined for data breaches as much as €20 million, or 4 percent of their global revenue, whichever is higher. The most serious offenses, like failure to prevent hacking, can put a company out of business entirely.
Keep these substantial penalties in mind when weighing the costs of compliance against the costs of noncompliance. David Zetoony, head of consumer protection at law firm Bryan Cave believes that full compliance is not always feasible, especially for companies that operate in other regions of the world with divergent regulations. “Some [businesses] have the perception they can be compliant with all the data privacy regulations around the word….The real question is what level of compliance you want to achieve. There is a spectrum and, like any other business decision, you have to weigh the pros and cons and make a decision based on risk.”
