HR Urged to Prepare for New Data Protection Law in Europe

Aliah D. Wright By Aliah D. Wright July 31, 2017
HR Urged to Prepare for New Data Protection Law in Europe

​Data protection in Europe is about to become far more stringent.

To protect employee and consumer data, organizations that do business in or with European countries must—by May 25, 2018—comply with the General Data Protection Regulation (GDPR) or face harsh fines and penalties.

As hacking increases worldwide, the GDPR mandates how groups gather, store and use sensitive employee data.

Passed in April 2016 by the EU Parliament, the law replaces the Data Protection Directive, which was enacted in 1995. The new regulation's key objectives are to give people control of their personal data and to streamline current laws surrounding the legal use of this information.

Under the GDPR:

  • All companies must document employee consent about the access and use of their data.
  • Any organizations that process employee data within the European Union (EU) must comply with the new law—even if those companies aren't in Europe.
  • Organizations that fail to comply with the new law face fines and penalties equivalent to 4 percent of their annual revenue or 20 million euros, whichever is greater. 

The Information Commissioner's Office in the United Kingdom, which reports directly to Parliament, has prepared a 12-step checklist to ready organizations for GDPR compliance. It includes making sure that HR departments are prepared to detect, report and investigate data breaches and that they know what types of data leave employees vulnerable.

Experts are urging companies to get compliant now.

"With the EU's General Data Protection Regulation less than one year away, organizations around the world are deeply concerned about the impact that information non-compliance can have on their brand and loyalty of their customers," Jason Tooley, vice president, Northern Europe, at Veritas Technologies LLC, said in a company statement.

He said organizations need to begin educating themselves now on "the tools, processes and policies to support information governance strategies that are required to comply with the GDPR requirements." Veritas, a software company, is based in Reading in the U.K.

[SHRM members-only toolkit: Introduction to the Global Human Resources Discipline]

The best way to do that, he said, is to create "an automated, classification-based, policy-driven approach to GDPR," that will "enable organizations to accelerate their ability to meet the regulatory demands within the short time frames available."

David Godden, vice president of sales and marketing for Thymometrics, an employee engagement software firm based in Cambridge in the United Kingdom, said in a press release that "even if a company is using a cloud server in a relatively safe region of the world, this doesn't mean the company is complying with GDPR and that data is secure."

Jerry Pett, CEO and co-founder of Thymometrics suggested in a blog post on the company's website that employers can prepare for compliance with the new regulation by doing the following:

  • Learn where your critical employee data systems are held (for example, your HR information systems or employee engagement survey vendor) and for what purpose data is being used.
  • Determine who owns the data based on contractual information. In some cases, employees are the sole owners of the data, while the company is authorized to use this data for business purposes only.
  • Set up a system in which employees give explicit permission to the employer to gather, store and share their data. Every employer doing so must have a clear method of communicating and obtaining this permission.
  • Find out what your cloud-based software vendors are doing with personal information and if they are taking steps to become compliant. Your employee data could be spread out across multiple locations such as cloud storage services, HR information systems, help and support systems, messaging systems, and more.
  • Assign an internal data protection officer to oversee all GDPR requirements. This provision applies to employers with 250 or more employees.

    Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.



Hire the best HR talent or advance your own career.

Are you a department of one?

Expand your toolbox with the tools and techniques needed to fix your organization’s unique needs.

Expand your toolbox with the tools and techniques needed to fix your organization’s unique needs.



HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.