The General Data Protection Regulation (GDPR) is one of the most comprehensive and impactful cybersecurity laws today. While this EU regulation passed in 2018, companies today would benefit from reevaluating their compliance. As remote work becomes the norm, the GDPR and HR’s relationship is back in the spotlight.
Many companies may be complacent about the GDPR, assuming all their operations and partners are already compliant. However, Amazon’s recent $887 million non-compliance fine highlights how these assumptions may be inaccurate. In the move to a more remote-friendly work environment, businesses have also introduced new risks and considerations.
Three years after the GDPR’s passing, compliance is perhaps more important today than ever. Here’s what HR professionals should know while preparing for the future of remote work.
The GDPR is becoming increasingly relevant.
Amazon’s record-breaking fine demonstrates how crucial GDPR compliance is, even for non-EU companies. These regulations carry fines of up to €20 million per violation, enough to put a smaller business in financial ruin. Additionally, many companies that once fell outside of GDPR jurisdiction may now find themselves in it.
Digital adoption leaped five years in eight weeks amid the initial COVID-19 outbreak. Consequently, more businesses are collecting more data than ever before. It’s highly likely that U.S. companies now collect or store data in the EU, putting them under the GDPR.
Since businesses are embracing digital transformation so rapidly, HR departments may not have had time to catch up. Regulatory compliance has likely lagged behind the shift to new technologies and processes. As a result, companies that were GDPR compliant last year may not be any longer.
Perhaps the most impactful of these shifts is the one to remote work. A late-2020 survey of 1,200 global companies revealed that 72 percent of their workforce now works remotely. Furthermore, most companies plan on expanding their remote workforce this year, raising concerns for the GDPR and HR.
Remote work introduces new data security concerns.
The relationship between the GDPR and HR becomes more complicated with a remote workforce. Some rules become more challenging to enforce. For example, companies must notify authorities no later than 72 hours after a breach, but remote communication can be inefficient. Understanding what happened and informing all potentially affected employees may take longer.
Similarly, ensuring employees follow the proper device and network security steps can be challenging with remote workers. One survey found that 76 percent of remote workers have accessed work files with non-protected devices. When employees are on their own, using personal devices on home networks, ensuring compliance is far from straightforward.
Remote work means companies, including their HR departments, are more reliant on digital communication than ever. Consequently, they’re at greater risk of non-compliance from hackers, user error, or non-compliant third-party services.
Since HR is often responsible for companies’ regulatory compliance, they bear much of the responsibility for the GDPR. Additionally, HR departments handle some of a business’s most sensitive data, like employees’ personally identifiable information (PII). Managing that data in a digital, remote environment makes it more susceptible to a breach.
What can HR do to ensure GDPR compliance?
In light of these growing concerns, HR professionals must become familiar with the GDPR. As they shift to remote work environments, they should reassess the steps they take towards compliance.
Remote monitoring software can help reduce security-jeopardizing user errors, but HR should balance this protection with privacy. The GDPR allows monitoring, but only in some contexts, requiring businesses to have legitimate reasons, among other considerations. Generally speaking, it’s best to use as minimally intrusive measures as possible and be transparent with workers about it.
If companies change what employee data they collect or how they use it, HR should inform workers. Worker consent and their right to be informed are crucial aspects of both the GDPR and HR’s responsibility. Similarly, HR should ensure any process or technology changes uphold employees’ right to delete their personal data.
Hiring a data protection officer is one of the most helpful changes a company can make. The GDPR requires this in some organizations, but even those that don’t need one should consider it. By creating such a position, HR can have a go-to contact for questions about cybersecurity regulatory compliance.
Cybersecurity is a crucial part of HR today.
Cybersecurity might not typically be something people expect of HR, but the two fields are inseparable today. HR plays a critical role in protecting employee data and meeting relevant regulations. As such, HR professionals must prepare for how the shift to remote work will impact their GDPR compliance.
As cyber threats rise and remote work introduces new risks, the GDPR must become a point of focus again. HR teams should work with IT departments and management to reassess and adjust their GDPR compliance. Failure to do so can result in massive fines and the infringement of employee rights.