Data Privacy in a Global Implementation Plan
The European Commission’s Directive on Data Protection went into effect in October 1998, and would prohibit the transfer of personal data to non-European Union nations that do not meet the European “adequacy” standard for privacy protection. While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the European Union. The United States uses an approach that relies on a mix of legislation, regulation, and self-regulation. The European Union, however, relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of databases with those agencies, and in some instances prior approval before personal data processing may begin.
GDPR (General Data Privacy Regulation) is one of the broadest regulations ever enacted in the European Union, designed to give citizens control over how their personal data is stored and used. The consequences of non compliance with GDPR are high: a fine of up to 20 million euro or 4% of your organization’s global revenue, whichever is higher. Even if the registered seat of your company is not in Europe, the law may still apply to you if you process data belonging to data subjects in the EU in the course of offering them goods or services or monitoring their behavior.
Naturally, many ERP administrators are wondering what this will mean for them and what they need to do to get ready. It is important to keep a couple facts in mind:
• Locating where personal data exists in your systems
• Deleting personal data
• Restricting and logging access to personal data, including reads and changes
• Masking personal data
GDPR compliance is a broad effort. You cannot meet GDPR requirements simply with software tools or updates. There are a wide range of actions and legal decisions that each organization must make, and the regulations go beyond digital assets to include business procedures and even IT security, in terms of technical and organizational security measures.
What are the main areas that must be addressed in any data privacy strategy?
The issues surrounding the directive and their impact on global systems has been significant. Companies have to define, at a corporate level, a data privacy strategy that meets the requirements of the countries involved. In general, these are the main areas that must be addressed in any data privacy strategy:
• Notice: Organizations must notify individuals about the purposes for which they collect and use information about them.
• Choice: Organizations must give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual.
• Onward Transfer (Transfers to Third Parties): To disclose information to a third party, it may do so if it makes sure that the third party subscribes to the safe harbor principles or has a written agreement with the third party requiring that they provide at least the same level of privacy protection as is required by the employee’s company.
• Access: Individuals must have access to personal information about them that an organization holds.
• Security: Organizations must take reasonable precautions to protect personal information.
• Data integrity: Personal information must be relevant for the purposes for which it is to be used.
• Enforcement: There must be (a) readily available and affordable independent recourse mechanisms and enforcement mechanisms.
Within these areas of compliance, companies can formulate their own data privacy strategy (the self-assessment approach), with careful oversight by the appropriate legal resources. There is also the option of certifying your company as a “safe harbor” with the U.S. Department of Commerce. In order to bridge different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce in consultation with the European Commission developed a "safe harbor" framework. The safe harbor approved by the EU in July of 2000 is one way for U.S. companies to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by European authorities under European privacy laws. Certifying to the safe harbor will assure that EU organizations know that your company provides “adequate” privacy protection, as defined by the Directive.
Under the self- assessment approach, verification would have to indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It would also need to indicate that its privacy policy conforms to the Safe Harbor Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self- assessment should be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance.
Organizations should retain their records on the implementation of their safe harbor privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent body responsible for investigating complaints or to the agency with unfair and deceptive practices jurisdiction.
Where the organization has chosen outside compliance review, such a review needs to demonstrate that its privacy policy regarding personal information received from the EU conforms to the Safe Harbor Principles, that it is being complied with and that individuals are informed of the mechanisms through which they may pursue complaints. The methods of review may include, without limitation, auditing, random reviews, use of "decoys," or use of technology tools as appropriate. A statement verifying that an outside compliance review has been successfully completed should be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about compliance.
What are the general issues in the data privacy area?
General issues that a global company should address in the data privacy area are:
• Determine under what conditions data can be transported out of the country, and what data has special restrictions.
• Determine whether there will need to be changes to current processes of local worker’s councils. Negotiations should start early to avoid impact of critical path processes in the implementation plan.
• Determine the levels of access to required information. Documentation is usually required that explains in detail what data is being sent and stored and why it is needed, who has access to it, for what reason. Communicating this to the employee population is also generally a good idea, and publishing these guidelines is also recommended. You must be able to justify on a “need to know” basis who has access to each piece of data in the system.
• Identify specific regional and local regulations where you need a representative overall and contacts for each region and country.
• Is there a requirement (legal or regulatory) for encryption of data? Recommendation is not to do this for employee master data if not absolutely legally required.
What are the recommendations for the data privacy issues?
Recommendations made by the legal teams of global companies that have dealt with the data privacy issues include:
• Develop a code of conduct for data users
• Appoint a data protection officer (Note: in some countries this is a legal requirement)
• Consult all relevant authorities and legal resources in other jurisdictions where the company operates
• Demonstrate that your organization has a culture that respects employees’ rights
What are the main areas that must be addressed in any data privacy strategy?
The issues surrounding the directive and their impact on global systems has been significant. Companies have to define, at a corporate level, a data privacy strategy that meets the requirements of the countries involved. In general, these are the main areas that must be addressed in any data privacy strategy.
What are the general issues in the data privacy area?
General issues that a global company should address in the data privacy area are: Determine under what conditions data can be transported out of the country, and what data has special restrictions, Determine whether there will need to be changes to current processes of local worker’s councils, Determine the levels of access to required information and Identify specific regional and local regulations where you need a representative overall and contacts for each region and country and many more.
What are the recommendations for the data privacy issues?
Recommendations made by the legal teams of global companies that have dealt with the data privacy issues include: Develop a code of conduct for data users, Appoint a data protection officer, Consult all relevant authorities and legal resources in other jurisdictions where the company operates and many more.
By clicking Sign In with Social Media, you agree to let PAT RESEARCH store, use and/or disclose your Social Media profile and email address in accordance with the PAT RESEARCH Privacy Policy and agree to the Terms of Use.