The General Data Protection Regulation (GDPR) was created in May of 2018 as one of the new European laws that would come into effect in the UK, Europe and the rest of the world. This regulation aims to protect data and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). These new standardized data protection laws would involve increasing changes to data security and would also impact companies involved in international relocation.
What is the GDPR Regulation and Who Does it Impact?
GDPR is restructuring the way that personal data is acquired, handled, and processed. Passed by the European Parliament, these laws will still take effect in the UK, despite the current Brexit process. The update to the data protection policies have been created specifically for two reasons:
- It aims to provide citizens with greater rights to how their data is used
- It aims to simplify how data is shared internationally – increasing security
This policy impacts the majority of industries that would be collecting data on consumers. Corporations that actively store data on members of the European Union must now meet specific requirements for collecting this information. Failure to follow these requirements under GDPR will most likely result in legal actions carried out by individuals or the European authority responsible for enforcing the initiative.
The 6 Core Concepts of GDPR:
- Privacy – New stricter guidelines with rules on who can access or use personal data.
- Access – Personal rights with regards to data access are being increased. Individuals have more power to view any data stored on them, can request their data to be removed, or can change how it is used to market towards them.
- Accuracy – Data must now be maintained constantly and consistently to ensure that all information is accurate.
- Consent – Stricter policies now impact how companies harvest information. People need to be better informed of what data is being taken and where it is being used, and how long it is retained.
- Responsibility – The responsibility of organizations collecting personal data is being dramatically increased. Any data gained is under your protection and must be handled appropriately. There must also be a member of staff or team member that can be held accountable to this. GDPR effectively means you are no longer innocent of a breach until proven guilty, but guilty until you can prove you acted to manage data properly.
- Protection – Monitoring of how brands store data is being overhauled completely. Companies will be required to carry out all the necessary processes to protect data and provide evidence of such acts. Any breach must also be reported, and processes need to exist to prepare to a possible breach.
How Does GDPR Impact International Relocation?
- Maintenance of Overseas Security – Despite the fact you may have a European citizen operating abroad you are legally required to follow the data protection processes outlined in the GDPR.
- Compliance of EU Laws for Non-EU Brands – Those brands that operate outside of the European Union are now subject to these laws, should they relocate an EU citizen. This means that any company that opts for the international relocation of a member of an EU state must comply with these regulations, alongside any laws under their own nation’s jurisdiction.
- Transformation of Culture – Data security will become a major part of company culture in the years to come. Every member of staff is now key to keeping data secure. As for international relocation, those operating domestically are just as responsible for the protection of data as those managing the data of the assignee overseas. International borders do not separate how data protection works anymore.
- Shared Data Must be Covered – Often, international relocation involves working with third-party corporations, such as when offering regional services, managing shipping, etc. This may include the sharing of personal data. Those corporations now sharing said data are responsible for ensuring its security. No longer will it be acceptable to pass on data and expect other parties to follow expected practices. Companies carrying out international relocation must take steps to make sure personal data under their ownership is used and secured properly.
- Continued Data Accuracy – Laws around the accuracy of data now means that companies with international assignees cannot allow their personal records to lapse while the individual is abroad. Information on all employees working abroad must be maintained to the same level of accuracy as those operating domestically.
How Can My Company Be GDPR Compliant?
- Identify what constitutes personal data — There must be an understanding of exactly what is personal under the new regulations, and how much of this data relocators hold. Without this information, data cannot be managed properly.
- Gain an understanding of all practices — Personal data is used in a variety of ways. It may need to be passed around to numerous employees and departments. This is especially true of international relocation, as many processes are involved. An awareness of exactly how data is being used internally and externally is now essential.
- Update security practices, protocol and framework — Once corporations understand the data they are storing and how it is being used, they can start to review their practices against the regulations set out by the EU. It is likely that many data protection processes will need restructuring and that staff will require additional training. Companies must build a framework that ensures absolute compliance.
- Review third-party contracts and data transfers — It is the responsibility of the data gatherer to ensure data acquired remains protected under EU law. If data must be shared with third parties, it is down to the original company to ensure they are also compliant with GDPR laws. Failing to do so could mean prosecution for making personal data vulnerable.
- Consider current data consent —Under the new laws, it must be made abundantly clear to individuals how their data will be used. If current practices are not transparent enough, companies will face legal action.
- Implement new consent processes — If an analysis of consent processes reveals they are not in line with the GDPR regulations, businesses must take two steps. First, they must change their acquisition processes to meet GDPR criteria. Second, they must apply these processes to current data, ensuring they have proper consent for any historical data stored. If consent cannot be gained, this data cannot be held any longer. Processes should also exist whereby consent can be withdrawn by the data subject at any time.
- Designate a data protection official — Under new EU regulations, all personal data procedures must have a designated official responsible for ensuring compliance. Companies will either have to support the training of an employee capable of undertaking the role or hire a new member of staff to meet the demands of the regulations.
- Test data breach scenarios — One of the biggest changes involved in the GDPR is how companies handle a data breach. Regulations outline how businesses must meet certain criteria in terms of actions post-breach. Running tests to ensure that these criteria are met is key to avoiding additional problems should an actual breach occur.