GDPR - All You Need to Know as An Employer

What is GDPR?

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). GDPR becomes enforceable from 25 May 2018, after a two-year transition period.

Unlike a directive, it does not require national governments to pass any enabling legislation and so it is directly binding and applicable, as long as personal data of EU data subjects are collected.

In Singapore, personal data is protected under the Personal Data Protection Act 2012 (PDPA), which establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. It recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.

Why should I, as an employer be concerned about GDPR?

Penalties. GDPR comes with a strict data protection compliance regime with severe penalties of up to 2% of worldwide turnover or €10 million, whichever is higher for non-compliant firms. Even if your firm does not operate within EU region, your job applicants could be from the EU region, and the collection of their job application and personal information falls under the GDPR compliance regime.

What are the core tenets of GDPR?

Privacy by Design

Data protection by design and by default (Article 25) requires data protection to be designed into the development of business processes for products and services. Privacy settings must therefore be set at a high level by default, and technical and procedural measures should be taken by the controller to make sure that the processing, throughout the whole processing lifecycle, complies with the regulation. Controllers should also implement mechanisms to ensure that personal data is not processed unless necessary for each specific purpose.

Consent

Consent must be explicit for data collected and the purposes for which the data is used for. Data controllers must be able to prove consent and consent may be withdrawn.

Notification of Breach

Under the GDPR, the data controller is under a legal obligation to notify the supervisory authority without undue delay and is subject to a maximum of 72 hours after becoming aware of the data breach to make the report.

Individuals have to be notified if adverse impact is determined. The exception for this is if the data controller has implemented appropriate technical and organisational protection measures that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.

Right of Access

The right of access gives EU citizens the right to access their personal data and information about how this personal data is being processed. This means a data controller must provide, upon request, an overview of the data that are being processed as well as a copy of the actual data. Furthermore, the data controller has to inform the data subject on details about the processing, such as the purposes of the processing, with whom the data is shared, and how it acquired the data.

Right of Erasure

A right to erasure means the data subject has the right to request erasure of personal data related to them on any one of a number of grounds.

DPO appointment

The Data Protection Officer (DPO) is similar to a compliance officer and is also expected to be proficient at managing IT processes, data security (including dealing with cyberattacks) and other critical business continuity issues around the holding and processing of personal and sensitive data. The skill set required stretches beyond understanding legal compliance with data protection laws and regulations.

(In Singapore, it is mandatory to appoint a DPO for all businesses under PDPA.)

How should I get started?

We propose the following steps to get started on preparing for GDPR compliance:

A. Kickstart a GDPR Committee

GDPR compliance requires the buy-in of senior management to champion and drive across the organization. The C-suite personnel should be made aware of the changes to the data protection laws, and the impact on the business operations.

B. Appoint a DPO (If you haven't)

With a GDPR committee and the buy-in of the senior management, it is important to appoint a Data Protection Officer that will continually drive through the initiatives set in motion by the GDPR committee, and ensure monitoring of the various data collection practices of the organization. In Singapore, it is mandatory to appoint a DPO as a business. Efforts should be made to allow data subjects to be able to reach the DPO via a contact channel to raise their concerns or exercise their rights to erase their personal data, or remove their consent for their personal data to be collected by the organization.

C. Review data collection processes, data types collected, and risks

One of the key initiatives to get started after formalising the GDPR committee and appointment of a DPO, is to collectively review all data collection processes and deep dive into the data types collected, as well as identify the risks involved. This would be a blueprint on future initiatives for data protection, and also assist the committee in prioritizing enhancements or overhaul to existing data collection processes based on the risk(s) identified.

D. Run awareness campaign

Data collection processes can occur across multiple divisions of an organization, and it is the responsibility of the GDPR committee to inculcate the personnel across all levels of the organization on the importance of data protection, and the processes put in place to ensure compliance with the prevailing data protection laws. As such, the data protection initiatives that have been outlined and implemented, should be made known to all personnel through awareness campaigns, and personnel should be educated on how to deal with personal data that he/she may have access to as part of the personnel's role in the organization.

E. Work with vendors / data intermediaries that can work with you on GDPR compliance

GDPR compliance is an onerous process, given that organizations are collecting more and more personal data in order to provide more relevant products and services. It is therefore critical to examine your data supply chain, and ensure that your GDPR compliance efforts are not undermined by non-compliant vendors or data intermediaries.

Through the use of RecruiterPal, direct employers are able to reduce the hiring cycle time by as much as 50%, reaping significant cost and time savings while streamlining their talent acquisition workflows.