Fraud Prevention And The General Data Protection Regulation
What your human resource team must know to avoid infringements
Posted on 05-01-2018, Read Time: Min
Share:
Data protection and information security have always been important for businesses. However, May 2018 will mark the start of a new onus on human resource departments to implement data protection measures if their employees are conducting business with individuals in the European Union (EU).
The General Data Protection Regulation (GDPR) is a new piece of legislation in the EU that imposes greater obligations on businesses to keep the personal records and confidential data of EU residents safe. The legislation will also work to reduce the number of fraud and identity theft incidents.
Employee behavior can be a company’s greatest weakness when it comes to data security. Employee negligence happens more often than you may think: a third of data breaches in Canada in 2017 involved negligent employees and cost businesses $241 per capita in damages, according to the Ponemon Institute.
This article highlights key provisions and suggested solutions to help human resource teams comply with GDPR legislation from an information security perspective. It is not to be considered legal advice.
The GDPR applies to any entity that collects uses or discloses personal data of EU citizens. The legislation refers to these entities as Controllers and Processors. A Controller is an entity that alone or jointly determines the purposes and means for processing personal data. A Processor is an entity that processes personal data on behalf of the Controller. This provision can be found in Chapter 4 (Article 24-43).
It is important to note that the legislation is not limited to organizations that have a physical presence in the EU. Businesses outside the EU that engage in the following activities also fall under the GDPR:
- Offering goods and services to individuals in the EU (including goods and services offered free of charge); or
- Monitoring (i.e. internet tracking and profiling) the behavior of individuals that occurs in the EU
It is recommend that businesses consult a legal expert to ensure legal compliance. However, the GDPR specifies the type of activities that could harm individuals in the EU:
- Discrimination or identity fraud;
- Professional secrecy where individuals may be deprived of their rights or control over their data;
- Disclosure of racial, religious, genetic and other special categories of data;
- Evaluation of personal aspects, such as work performance, health, reliability or economic situation; or
- Vulnerable persons’ data and processing on a large scale.
Businesses must also be aware of the following obligations under the GDPR:
Consent: The GDPR requires that consent be obtained to process personal data. Silence or inactivity does not constitute consent.
Breach notification: In the event that there is a data breach, businesses must notify affected individuals within 72 hours of discovering the breach. In the case that the breach affects an individual’s rights and freedoms, notification must be made without undue delay. There is an additional onus for businesses in the financial, energy, transport and digital service industries. These services are considered “essential services” and these businesses must notify relevant data protection authorities in the event of a data breach.
Erasure of information collected: If data collected is no longer needed, if an individual objects to collection, or if the information was collected unlawfully, businesses will be required to erase this information. Additionally, businesses will be required to communicate any erasure requests to other controllers who have the data.
Data Protection Officers: Controllers and Processors will be required to designate a Data Protection Officer to be equipped with the necessary knowledge of data protection laws and procedures. Entities that require this include:
- Public authorities or bodies;
- Entities whose core activities involve regular and systematic monitoring of individuals on a large scale;
- Entities whose core activities consist of collecting data related to racial or ethnic origin, criminal convictions or political views.
Businesses who fail to comply with the GDPR could face significant fines. These fines and sanctions fall into two broad tiers. For serious infringements, fines can be as high as US$24 million, or 4% of the total annual revenue worldwide. Less serious infringements can result in administrative fines greater than US$12,000, or 2% of total annual worldwide turnover of the business.
To help keep your employees GDPR compliant, it is recommended that HR teams take the following precautionary steps:
1.) Create a human resources information security handbook. Human resource departments should prepare a robust information security policy that is kept up-to-date. This handbook should be made mandatory for all new and existing employees to read, followed by an interactive test. This is important since authorities will have the right to review your privacy policies and procedures at any time under the new GDPR legislation. The security handbook should clearly articulate that employees who obtain information from EU residents must keep a record of the category of data obtained from EU residents, and document how long the data has been stored before being securely destroyed. Additionally, the type of information destruction methods for both physical and digital documents should be identified.
2.) Mandatory Privacy Impact Assessments (PIAs). Human resource teams should introduce Privacy Impact Assessments (PIAs). PIAs are a critical component of the GDPR that provide risk assessments and identify where an individual’s data can be at risk throughout its processing.
3.) Creation of a “GDPR” officer. It is recommended that there be a designated person or team responsible for ensuring all data protection policies are put into place and followed.
Implementing these procedures at the early stages will be important to ensure that data protection is part of your HR department’s thinking from the start.
Author Bio
| Ann Nickolas is the Vice-President of Shred-it. She oversees new business development and account management for customers in the commercial, healthcare, and government verticals. In her role, Ann helps businesses secure their confidential information with products and services, policies and training, that help protect them from the risks, fines, penalties, and loss of revenue that come with an information breach. Visit www.shredit.com Connect Ann Nickolas Follow @Shredit |
Error: No such template "/CustomCode/topleader/category"!
