EU’s 2018 Data Regulation Update Poses Challenge



The European Union is to implement a regulation May 25, 2018, that will necessitate adjustments to payroll data transmission procedures to maintain compliance, a lawyer said May 19. 

The General Data Protection Regulation, also known as the Global Data Privacy Regulation (GDPR), is to help standardize data requirements among the 28 EU countries to a greater degree than its 1995 predecessor, said Jennifer Mullins, general counsel at SafeGuard World International. 

Under the previous Data Protection Directive 95/46/EC,  EU countries were required to enact laws to conform to the directive but there were significant differences among the laws, and the GDPR text is to be applicable for all member countries, Mullins said at the annual American Payroll Association Congress in Orlando, Fla.

Payroll professionals whose employers either conduct business in the EU or employ individuals from the EU have an intensified responsibility under the GDPR to “know what data is relevant, where the data is, how it is being protected and how the data legally can be made accessible,” Mullins said. 

“Privacy has become a very hot topic for any multinational corporation,” Mullins said. “It’s one of the top issues and it’s going to continue to get even more important.”

The data processing aspects emphasized by the GDPR, all of which are applicable for processing payroll data, include the necessity of abiding by laws and regulations regarding data transmission and recordkeeping, maintaining transparency in how data are used and whether third parties have access to the data, and upholding fairness in handling data, Mullins said. 

The GDPR also emphasizes the necessity of specifying to employees and other individuals what personal identification data and other data relevant to them are being collected and transmitted, identifying why and how these collections and transmissions are occurring, clearly communicating recourse methods available to individuals who feel their data were mishandled, and providing methods for individuals to correct their personal data after the data were collected, she said.

Under the GDPR, unlike under the 1995 directive, data processors that receive notification from an individual of the need to correct data applicable for that individual must inform sub-processors or third parties to which they sent uncorrected data of the need to update the data, Mullins said.

Data breaches, which always are important to vigilantly guard against, under the GDPR must be reported by employers to the data protection agencies of applicable EU countries within 72 hours of when the employers’ data controllers, who are those who have authority to make decisions regarding data, learn of the breaches, Mullins said. 

The GDPR specifically covers all entities processing personal data of individuals from the EU, regardless of where those processing entities are located and regardless of whether relevant data processing occurred within the EU, whereas the 1995 directive was ambiguous regarding its geographic applicability, according to the EU’s webpage regarding key data-processing changes under the GDPR.

International Payroll Decision Support Network. With more than 90 countries covered, this is your one-stop resource for reliable, up-to-date guidance and analysis in every area of global payroll administration and compliance.  

Join the Bloomberg BNA U.S. and Global Payroll group on  LinkedIn and follow Bloomberg BNA on Twitter  @BloombergBNA.