March 7th, 2018 | Sterling

GDPR: What You Need to Know with Less Than 100 Days to Go

Is your company ready for the GDPR? According to an informal survey during our webinar, 47.8% of attendees state that they are not ready, while only 9.3% stated they are ready and waiting for the GDPR to go into effect. Sterling recently presented the webinar, “GDPR: What You Need to Know with 100 Days to Go” to discuss the impact of not being ready for GDPR changes on 25 May 2018. John Tomaszewski of Seyfarth Shaw LLP  and Sterling’s Steven Smith explain the significant penalties of not complying with GDPR rules, what processes need to be put in place to comply with the GDPR and how to protect your organisations against penalties reaching 4% of global turnover.

What are the GDPR Penalties?

What is the first thing that you think of when it comes to GDPR compliance? In most cases, there are two questions. The first is: How will the GDPR impact my organisation? Followed up by the second most important question: What are the fines or penalties if my business does not comply with the rules?

The coming into force of the GDPR on 25 May 2018 will dramatically increase penalties for data privacy violations. There are two tiers of penalties, depending on the type of violation. The first tier is capped at 10,000,000 Euros or 2% of global turnover. The second tier is capped at 20,000,000 Euros or 4% of global turnover. In either case, the fines represent a massive risk to any company that is subject to the GDPR.

In general, fines under the GDPR are not applicable automatically. A Data Protection Authority (DPA) might decide to issue a reprimand or an order to change an organisation’s activities instead of a fine. However, the GDPR intends to put in place some consistency to reduce the possibilities of variations across the EU Member States.

To determine a fine, the DPA must take the following factors into account:

• Nature, gravity, duration, number of data subjects and level of damage
• Intentional or negligent infringement
• Actions taken to mitigate risk based on infringement
• Degree of responsibility
• Relevant previous infringements
• Degree of co-operation with DPA
• Categories of personal data affected
• Whether infringement was notified to DPA
• Previous history of enforcement
• Other aggravating or mitigating factors

Under the GDPR, there could be other sanctions on top of the administrative penalties. For example, courts can award compensation for damages following individual or class action lawsuits. Individual Member States can also set out other types of remedies that fall in line with their own legal systems.

Basis for Processing

EU Member States have started to enact national laws to specifically outline how the GDPR is implemented within their borders. For example, Germany has set a requirement for who can serve as a DPO versus who cannot be chosen. The new German data protection law also contains provisions relating to the processing of employee data. Overall, it does not introduce a fundamental change to German law but, instead, consolidates existing legal provisions as well as case law and literature on the matter in a way that complies with the GDPR.

Consent and Legitimate Interest

Consent is a major component of many privacy laws around the world and in the case of the EU, will be impacted by the GDPR. There are many aspects of consent, but the main criteria under the GDPR are that consent must be freely given, specific, informed and unambiguous and must be given by a clear affirmative act rather than passive acceptance or failure to act. The conditions for obtaining consent under the GDPR are therefore stricter than the current Data Protection Directive. The GDPR allows an individual the right to withdraw consent at any time and as easily as they provide it and requires separate consents for different processing activities. The GDPR additionally sets out new requirements for consent from children in certain circumstances.

Because truly free consent is difficult to obtain in the employment context, many employers will rely upon their legitimate interests as grounds for processing personal data. The burden will lie with organisations to demonstrate what these legitimate interests are, and convey them to individuals. Employers should have language in their employment manuals discussing data collection in the context of their organisation.

Individual Rights Violations

The GDPR maintains a number of existing rights for individuals with regard to their data and codifies some new ones. The key elements are transparency and accountability. Open and transparent communication to candidates is crucial. Candidates have the right to detailed information about the screening process, including receiving a privacy notice providing the individual with insight on how and why their personal information will be processed. In many circumstances, candidates have the following rights under the GDPR:

• Access and the ability to obtain copies of information
• Rectification, erasure and restriction of the data
• Restrict and object to the processing of the data
• Receive personal data in a structured format that can be transferred from one organisation to another if desired

Data Transfers

A cross-border transfer of personal data occurs when data is processed (which includes storage, access, and automated processing, among others) outside of the European Economic Area (EEA). The focus under the current Data Protection Directive and the GDPR are to ensure the free flow of data between EEA countries. However, the law also restricts cross-border data transfers outside the EEA because there is a presumption that the law in other countries would not provide an adequate level of protection compared to EU law. Due to globalization, the workforce is becoming more international and mobile. In Europe, the free movement of workers is enshrined in EU law and so it is common for applicants to have pan-European experience.

Currently, companies are generally prohibited from transferring personal data outside the EEA to a third country that does not have an adequate level of data protection unless a mechanism which safeguards the data is in place. Examples of these are  the adequacy decision by European Commission for cross-border data transfers to certain countries, such as Canada or New Zealand, or to companies that have a Privacy Shield certification, which was designed by the U.S. Department of Commerce and the European Commission to assist companies in the EU with transferring data to companies in the U.S. Appropriate safeguards such as standard contractual clauses and Binding Corporate Rules (BCRs) are also useful for ensuring transfers of data across borders are properly safeguarded.

Opening Clauses and Associate Penalties

While it is designed to create more consistency across Europe, the GDPR is not as consistent as you may think. The GDPR allows for “opening clauses,” which let a Member State modify the provisions of an article. These clauses permit Member States to create more or less restrictive applications of the GDPR requirements based on local laws. According to a blog post that leading privacy lawyer John Tomaszewski wrote about opening clauses, “These opening clauses are particularly important to note as there are a number of them (around 30% of the directly applicable Articles have opening clauses), and many of them address an already complicated area of data protection law – employment.” However, current labour and employment are not expected to change suddenly under the GDPR, but organisations need to stay up to date on local legislation as changes could be enacted at any time.

Background Screening and the GDPR

For a company that relies on background screening information for its hiring process, it is recommended to have a background screening policy in place. Organisations need to engage with third-party companies who may collect data on their behalf to make sure they are following the GDPR guidelines and update privacy notices, policies and contracts accordingly. One way to stay up-to-date on the GDPR changes and make sure that your organisation is compliant is to sign up for the Sterling GDPR 10-part webinar series. The On-Demand webinars discuss the many aspects of the GDPR, from privacy notices to definitions of explaining what DPOs and DPIAs are and how the changes will affect the background screening industry. Sign up today for these informative webinars. For further information about penalties and preparing for the GDPR, download the On-Demand version of “GDPR: What You Need to Know with 100 Days to Go” today.

Please note: This presentation has been prepared by Seyfarth Shaw LLP and Sterling for informational purposes only. The material discussed during this webinar should not be construed as legal advice or a legal opinion on any specific facts or circumstances. The content is intended for general informational purposes only, and you are urged to consult a lawyer concerning your own situation and any specific legal questions you might have.

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.