New data protection regulations are going to change the way plenty of businesses store and use information, but what is GDPR and how will the laws impact international relocation? Find out all you need to know.
In May of 2018, new European laws will come into effect that have major implications for all businesses in the UK, Europe and, in fact, the rest of the world. Called the General Data Protection Regulation, or GDPR, these new laws involve sweeping changes to data security, designed to provide maximum levels of protection for personal data.
Passed by the European Parliament, these laws will still take effect in the UK, despite the current Brexit process. Updating data protection policies, GDPR replaces the previous Directive passed in 1995, have been created specifically for two reasons:
- It aims to provide citizens with greater rights to how their data is used
- It aims to simplify how data is shared internationally, thus bolstering security
As can be expected, changes to international data use means changes to international relocation projects. The introduction of GDPR will have an effect on how you manage the data of overseas workers, meaning any corporation with workers operating overseas must be aware of what the new regulations involve.
What Exactly is GDPR And Who is Affected?
The GDPR is a top-down restructuring of the way in which personal data is acquired, handled and processed. While an alarming amount of corporations currently believe the regulations will not affect them, the reality of the situation is almost all industries will require changes in order to survive in a post-GDPR landscape.
The question is not who is affected by GDPR, but who isn’t?
Any corporation that actively stores data on members of the European Union must now adapt to meet the specific requirements that impact the sector. Very few corporations currently operate data protection systems that meet the requirements of the new regulations.
Failure to comply with the GDPR can — and most likely will — result in legal action, carried out either by individuals or the European authority responsible for enforcing the initiative. At this point, more businesses unaware of the effects of GDPR will likely be seeking answers to question: What is the GDPR?
While GDPR is an incredibly complex piece of policy, its impact can be broken down into six core concepts:
- Privacy — The regulations will introduce new guidelines on who has access to data, meaning stricter rules on who can see personal data and for what purpose.
- Access — Personal rights with regards to data access are being increased. Individuals have more power to view any data stored on them. They can also request their data be removed or changes in how it is used to market towards them.
- Accuracy — Data must now be maintained constantly and consistently to ensure total accuracy of information.
- Consent — Laws on how you acquire data are changing. Stricter policies now impact how companies harvest information. People need to be better informed of what data is being taken and where it is being used, and how long it is retained.
- Responsibility — The responsibility of organisations collecting personal data is being dramatically increased. Any data gained is under your protection and must be handled appropriately. There must also be a member of staff or team member that can be held accountable to this. GDPR effectively means you are no longer innocent of a breach until proven guilty, but guilty until you can prove you acted to manage data properly.
- Protection — Monitoring of how brands store data is being overhauled completely. Companies will be required to carry out all the necessary processes to protect data and provide evidence of such acts. Any breach must also be reported and processes need to exist to deal with said breach.
What these six core concepts means is that the new regulations change how the data of any citizen living within the EU is treated. Those storing data on a European Union individual must comply with the standards mentioned above, no matter where the data holder operates.
Failure to do so will incur fines of up to $20 million or 4% of annual turnover. The seemingly excessive punishments highlight just how seriously the European courts are taking data security in 2018 and beyond.
What Does the GDPR Mean for Business Operation?
Acquisition of personal data is important for businesses. It allows them to successfully execute many processes, from management of clients to marketing.
Without personal data, companies cannot not hope to offer a tailored and bespoke experience to satisfy the needs of individuals and other businesses. However, this reliance on personal data usage has meant the GDPR affects many corporations in a big way.
But how exactly does GDPR impact business operation? And what changes must be made to secure proper compliance?
- Identification of what constitutes personal data — There must be an understanding of exactly what is considered to be personal under the new regulations, and how much of this data relocators hold. Without this information, data cannot be managed properly.
- Clear understanding of all practices — Personal data is used in a variety of ways. It may need to be passed around to numerous employees and departments. This is especially true of international relocation, as many processes are involved. An awareness of exactly how and where data is going is now essential.
- Update security practices, protocol and framework — Once corporations know the finer details of the data they are storing and how it is being used, they can start to review their practices against the regulations set out by the EU. It is likely that many data protection processes will need restructuring and that staff will require additional training. Companies must build a framework that ensures absolute compliance.
- Review of third-party contracts and data transfers — It is the responsibility of the data gatherer (controller) to ensure data acquired remains protected under EU law. If, therefore, data must be shared with third parties, it is down to the original company to ensure they are also compliant with GDPR laws. Failing to do so could mean prosecution for making personal data vulnerable.
- Consideration of current data consent — The GDPR issues new requirements in terms of data collection transparency and consent. Under the new laws, it must be made abundantly clear to individuals how their data will be used. If current practices are not transparent enough, companies will face legal action.
- Implementation of new consent processes — If an analysis of consent processes reveals they are not in line with the GDPR regulations, businesses must take two steps. First, they must change their acquisition processes to meet GDPR criteria. Second, they must apply these processes to current data, ensuring they have proper consent for any historic data stored. If consent cannot be gained, this data cannot be held any longer. Processes should also exist whereby consent can be withdrawn by the data subject at any time.
- Designation of data protection official — Under new EU regulations, all personal data procedures must have a designated official responsible for ensuring compliance. Companies will either have to support the training of an employee capable of undertaking the role, or hire a new member of staff to meet the demands of the regulations.
- Test data breach scenarios — One of the biggest changes involved in the GDPR is how companies handle a data breach. Regulations outline how businesses must meet certain criteria in terms of actions post-breach. Running tests to ensure that these criteria are met is key to avoiding additional problems should an actual breach occur.
By ensuring these changes have been put into place before May 2018, companies operating international relocation projects can continue to offer stable and effective corporate moves, without fear of breaching GDPR laws.
How The GDPR Impacts International Relocation
The details covered in the two sections above reveal dramatic changes to data storage and management. As it is abundantly clear, the introduction of the GDPR will have a number of direct impacts on those practicing international relocation as part of business operation.
But what specific elements of international relocation will the new regulations effect? Where should companies investing in corporation moves expect to be hit?
- Maintenance of Overseas Security — Despite the fact you may have a European citizen operating abroad — in, for example, America — you are legally required to follow the data protection processes outlined in the GDPR.
- Compliance of EU Laws for Non-EU Brands — Those brands that operate outside of the European Union are now subject to these laws, should they relocate an EU citizen. This means that any company that opts for the international relocation of a member of an EU state must comply with these regulations, alongside any laws under their own nation’s jurisdiction.
- Transformation of Culture — The new laws make for a new approach to data protection. Structures of organisations will have to change to fit with new processes. Data protection is no longer something tagged onto a business, but must be built into its very fabric. Every member of staff is now key to keeping data secure. Security will become a major part of company culture in the years to come. Where international relocation is concerned, those operating domestically are still just as culpable for protection of data as those managing the data of the assignee overseas. International borders do not separate how data protection works anymore, thus nobody can afford to become complacent.
- Shared Data Must be Covered — Often, international relocation involves working with third-party corporations, such as when offering regional services, managing shipping, etc. This may include the sharing of personal data. Those corporations now sharing said data are responsible for ensuring its security. They must also maintain transparency with the individual about whom the data concerns, with regards to how it is shared. No longer will it be acceptable to pass on data and expect other parties to follow expected practices. Companies carrying out international relocation must take steps to make sure personal data under their ownership is used and secured properly.
- Continued Data Accuracy — Laws around the accuracy of data now mean that companies with international assignees cannot allow their personal records to lapse while the individual is abroad. Information on all employees working abroad must be maintained to the same level of accuracy as those operating domestically.
Key Takeaways for Anyone Affected by The GDPR
GDPR is coming. It has been approved since April 2016, but becomes enforceable in May 2018. It is essential that businesses take the time now to ensure they meet the criteria outlined by the regulations. Ignorance is not an excuse for non-compliance and corporations will face major difficulties if they do not act quickly to protect themselves against potential GDP-related backlash.
For those operating international relocation programs, you’ll likely be dealing with large-scale data storage processes, while also commiting to the protection of personal information shared with third parties. It is vital that you become GDPR compliant to avoid any problems with your overseas work projects.
Before May 2018, you must:
- Understand how GDPR affects your business
- Make internal changes required to ensure compliance
- Adapt international relocation processes to meet GDPR criteria
Once all three points are successfully achieved, you’ll be safe in the knowledge that neither your business nor your international assignments will suffer as a result of the GDPR initiative.
Need assistance adapting your processes to maintain compliance with the GDPR? The Gerson Relocation team are international relocation specialists. We can help support your transition from the older data protection laws and ensure you don’t fall afoul of EU changes.