June

Businesses around the world are shifting their approaches to data security, with the effective date of the European Union's (EU) General Data Protection Regulation (GDPR), set for May 25, 2018.

Anyone doing business in the EU will be impacted, including companies with websites that are available in Europe. There are several resources that serve as a GDPR primer for employees, including the European Commission 's GDPR Infographic, which is one of the clearest and most readable overviews of the regulations.

Forrester's GDPR episode of the "What It Means" podcast is worth a listen and the GDPR Report is a great place to learn about various new laws under the Right to be Forgotten (RTBF).

The implementation of the European Union's General Data Protection Regulation (GDPR) introduces the concept of a "right of erasure", i.e. a 'right to be forgotten'.
 
Under GDPR, an employee will have a right to have his|her data erased and no longer processed. A few practical examples of where an HR department may be compelled to erase employee data include collecting data about an employee to administer benefits, collection of data during a hiring process but not being able to demonstrate grounds for continuing to process it, collecting data on an employee's past address but the employee has since provided new information, and more.

Failure to comply with the upcoming General Data Protection Regulation (GDPR) could result in significant fines and disruption to business.

The recent blog from Bryan Cave LLP discusses privacy notices aimed at staff. It is not enough for businesses to continue giving staff a privacy notice under existing data protection laws. Businesses should make sure that privacy notices are concise, understandable, accessible and use clear and plain language.

In order to ensure compliance with the requirement that notices be concise, businesses should consider whether it is appropriate to have different, tailored notices for different types of individual. Article 13 of the GDPR requires that various types of information be given to data subjects, including name and contact details, purposes and legal basis of processing, and the right to lodge a complaint with a data protection authority.