GDPR applies to all private or public organisations (companies, associations, government bodies,…) who process the personal data of European citizens. The regulation will, for example, apply to all companies who have personal data in their possession. HR is involved in many processes involving personal data, including wage and personnel administration, databases containing the personal details of employees and applicants, the exchange of data with the Social Security Authority, the annual photograph book, etc.
New obligations for employers
Instead of the current requirement to submit a declaration to the Belgian Data Protection Authority, many businesses (with over 250 employees) will be required to maintain a register of all of the processing activities for which they are responsible.
The privacy statement within which you currently provide certain information to the person concerned when processing personal data (information obligation) must be supplemented with additional information, such as the legal basis and the period of retention.
In high-risk situations (such as the introduction of new technology), a Privacy Impact Assessment (PIA) must be conducted. When new products are being developed, for example, data protection must be included from the very start (privacy by design).
Certain businesses will be obliged to appoint a Data Protection Officer.
If a data leak is likely to lead to damage for the person concerned, there is a requirement to report this to the Privacy Commission within 72 hours of discovery.
New rights for employers and the persons concerned
Under the GDPR, the persons concerned enjoy the same rights as under the current Belgian Privacy Law, with new improvements and additions.
The person concerned cannot be assumed to have provided tacit agreement for their data to be processed, permission must be given explicitly.
Requests to access the data of the person concerned will be processed within 30 days (this is currently 45 days).
The person concerned also has a ‘right to be forgotten’, i.e. under specific circumstances, it will be mandatory to delete their personal data.
There is thus improved protection against direct marketing practices, automated decision-making (during applications via the internet, for example) and profiling.
The persons concerned also have the right to obtain their personal data in a structured and electronic format (this is the right to data portability).
Greater risk of higher sanctions
With the GDPR, every organisation will have to prove that they agree with the data protection principles, i.e. that they are complying with the GDPR (reversal of the burden of proof, accountability).
If a company fails to comply with or breaches the rules, it will run the risk of a fine of up to EUR 20,000,000 or 4% of the worldwide turnover. The authority of the Privacy Commission will be expanded in order to give it more leeway, allowing it to be proactive and impose direct sanctions where necessary.
It is clear that privacy law will not just be empty words.
’13-step action plan’
Given the significant risk that privacy (data protection) poses for your organisation, both in terms of business effectiveness and reputation, you must prepare yourself well and implement the necessary measures regarding privacy.
In the context of the importance of the processing of employee personal details, you are advised to make HR part of the Data Protection project team which, based on the project plan, will inventory the existing personal data processes (data audit) and make the corresponding adjustments.
With respect to raising awareness, it is also important to notify employees in good time via the Works Council.
The Belgian Data Protection Authority (the former Privacy Commission) can provide a 13-step action plan which could help to ensure that your organisation is GDPR compliant by 25 May 2018. Consult the step-by-step plan via this link (only available in French and Dutch).