GDPR: 4 key tips for global mobility professionals
This article was written by ReloTalent. If you would like to continue the conversation on the issues raised in this article, please contact ReloTalent CEO and Co-Founder Sebastien Deschamps at firstname.lastname@example.org
On 25 May 2018 the European Union’s (EU) General Data Protection Regulation (GDPR) will come into force, changing the way organizations have to think about data protection. Its implications reach far and wide, with some countries outside the EU altering existing laws to fall in line.
To put it plainly, if you have any data on any EU citizen, the GDPR will apply to you. If you don’t comply with the legislation, you risk heavy financial penalties.
But it’s not just companies that need to take note. Individuals across the globe should look at the legislation, as it gives them more control over how companies use their private data. Here are four key points that organizations and individuals should know:
1. Make yourself aware
Ensure that everyone is aware of the new legislation coming into force, and what it means for your organization. As a global mobility professional, you need to be fully briefed on the implications of GDPR and appreciate what impact it will have on the transferees.
Make yourself aware of the regulation and discover whether you’re one of the individuals it protects. Even non-EU citizens may be covered, as foreign nationals living anywhere within the EU are protected.
2. Document your data
It is time to take stock of all the personal data you currently hold. This means looking at what it is, where it came from and with whom you share it. Depending on the size of your group, it may be necessary to perform this exercise as a formal information audit across the whole business.
Think about which bits of your data are currently out there in the ether; this could be as simple as Googling yourself and seeing what comes up. All businesses should be able to provide you with all the information they have about you. Once you know what’s out there, you can choose how to act.
3. Remembering the rights
Eight main rights are freely afforded to individuals under GDPR:
- The right to be informed.
- The right to access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- The right not to be subject to automated decision-making including profiling.
You may be providing many of these rights under current laws, depending on your jurisdiction. If this is the case, altering your existing system to become GDPR-compliant should be trivial, although you should take the time now to go over the specifics. Any required changes may take some time, and the deadline is drawing close.
Take note of these rights, as they give you tremendous control over your personal data. In the past, businesses have paid relatively little attention to what has been best for their customers regarding data security, but that is changing. Take charge of your information and know that you always have the last say in how it is used.
4. Consider consent
The guidelines for obtaining consent for data processing are changing along with the laws for processing it. The GDPR consent guidelines are clear that all consent must be:
- Freely given – The user must be able to freely choose to agree to the conditions.
- Specific – The consent must be separate from other terms and conditions. Additionally, individuals must be able to withdraw their consent.
- Informed – The individual must understand what their data will be used for, and where and when it may be shared. They must also understand their rights to access and deletion.
- Unambiguous – The user must have to positively opt-in, meaning that consent cannot be inferred from inactivity or pre-ticked boxes.
It is now time to review your procedures for seeking, recording and managing employee and customer consent, and deciding if changes need to be made. Many older permissions from individuals will not be up to the new GDPR standards and should be renewed using the new guidelines before 25 May.
These additions to data protection law should put an end to the incomprehensible consent forms full of impenetrable legal jargon that we are all used to. Regardless, you should always keep the above in mind when agreeing to an organization’s processing of your data. Remember that if you have not been informed about the use of your data in a clear and unambiguous way, the company may not be GDPR-compliant, or could be open to a legal challenge in some cases.