The new European Union General Data Protection Regulation (2016/679) goes into effect May 25, 2018, replacing the current EU Data Privacy Directive (95/46/EC) that has been in place since 1995. The main objective is to harmonize data protection laws throughout the EU. The GDPR establishes a set of standardized data protection laws that apply to all EU member countries in order to “protect the fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data.”
Although the GDPR will retain many elements of the 1995 Directive, it has been greatly enhanced and strengthened with additional obligations to account for the current technological society we live in. The GDPR increases the rights for individuals and strengthens the obligation of companies. The GDPR will become the most progressive and strongest privacy and data protection regulation in the world and will impose stiff fines and penalties for non-compliance.
The GDPR applies to all organizations that store and/or process personal information of EU residents, who are defined as “data subjects.” The responsibilities of an organization vary depending on if that organization is defined as a “data controller” or a “data processor.” For the purposes of the services provided by Ultimate Software, our customers with employees who are residents in the EU are considered data controllers and Ultimate Software is considered a data processor per the GDPR.
What is Ultimate Software responsible for under GDPR?
The GDPR has specific requirements for data processors, regardless of whether they operate within the boundaries of the EU or not. Ultimate Software has the following key practices in place which align with our responsibilities as a data processor under the GDPR:
Processing Based on Contract—All processing we carry out on our customers’ behalf is governed by our formal contract with each organization. Ultimate Software has no ownership of employee personal data, and we only take processing actions that are defined in the contract and actions our customers instruct us to take.
Personnel Access based on Business Need—Ultimate Software employees and subcontractors that are authorized to access customer employee personal data are governed by confidentiality terms. Access is granted only to personnel with a business need to carry out the contracted services and/or instructions provided by the customer.
Security of Processing—Ultimate Software has technical and organizational security measures in place that govern and protect our customers’ information and employee personal data.
- Our systems and services are designed to provide ongoing confidentiality, integrity, availability and resilience of processing;
- Customer data is stored on encrypted servers and transmitted via encrypted sessions;
- We maintain systems and processes that allow us to restore the availability and access to customer employee personal information in the event of a physical or technical event;
- We maintain processes and procedures for regular testing, assessing and evaluating the effectiveness of technical and organizational measure that provide for the security of processing.
For our Canadian customers implemented in our Canadian data centers, the European Commission recognizes Canada as having adequate domestic data protection laws in place, and permits personal data of EU residents to be legally transferred to Canada. The current adequacy ruling for Canada can be found here.
Breach Notification—Ultimate Software will notify our customers after becoming aware of a personal data breach involving customer employee personal data.
Deletion of Data—Upon termination of a customer’s contractual agreement with Ultimate Software, customer data, including employee personal data, is deleted after all contracted services have been completed, which may include subsequent governmental reporting, or other items the customer has requested of Ultimate Software.
What is an Employer responsible for under GDPR?
The GDPR will harmonize data protection laws, which will be helpful for employers established in multiple Member States across the EU. However, the GDPR specifically states that individual Member States can implement additional or specific local rules for processing personal data in the context of employment. It will be important for HR professionals with employees in the EU to continue to monitor local Member State laws’ impact on the workplace.
Your HR team, ideally with guidance from your legal counsel, will want to review internal business processes and policies to ensure they align with data controller responsibilities under the GDPR. Below are some of the key areas your HR team and legal counsel will want to review:
Processing employee personal data based on “Consent” vs “Legitimate Interests”—The GDPR requires there to be a lawful basis in order to collect and process personal data. Under the GDPR, consent must be “freely given, specific, informed and unambiguous”, in addition to other requirements. Many employers have commonly relied upon consent. However, there is often debate if employee consent can be “freely” given. Employers that collect consent from employees should review those notices along with the processes in which they are communicated, captured, updated and maintained to ensure compliance with GDPR consent requirements.
Employee personal data may also be lawfully processed on the “legitimate interests” of the employer. Examples of “legitimate interests” may include (i) in order to fulfill the employment contract, (ii) to pay the employee, and (iii) payment of various taxes by the employer, etc. Employers will want to ensure they have clearly captured why personal data is captured from employees and the reasons for each instance in which it is used.
Rights of Data Subjects—The GDPR has enhanced and clarified the individual rights of data subjects. HR professionals will want to ensure they update any processes or procedures in order to provide employees with the ability to exercise their rights under the GDPR, without “undue delay” and in any event within one month.
Right of Access—Employees have a right to access all personal data that the employer retains on them. Access could be granted via a system if the data is stored in electronic form or in a way the HR professional has decided.
Right to Rectification—The GDPR allows employees to have inaccurate personal data concerning him or her corrected.
Right to Erasure—The GDPR allows employees to have personal data about them erased when it is no longer necessary in relation to the purpose it was collected or if consent is withdrawn.
Employers still have time to review their processes and procedures before the GDPR comes into effect on May 25, 2018, but the clock is ticking. Ultimate Software will continue to review all areas of UltiPro and make further enhancements as needed to assist our customers with their responsibilities as data controllers.
This information does not constitute legal advice. Employers should always seek independent legal advice regarding compliance with any laws, rules, or regulations.