GDPR – what are you doing to the relocation industry and to Human Resources? And how is Mike going to help you? And…stuff.
General Data Protection Regulation
What is GDPR? On April 27, 2016 (enforcement date is May 25!), the European Parliament passed the General Data Protection Regulation (GDPR). The GDPR’s goal is to strengthen the security and privacy of sensitive data in the European Union (EU). It also enables individuals to control the collection and use of their personal data and it will change the way that organizations treat data privacy. GDPR carries possible fines for noncompliance of up to the greater of €20 million or 4% of an organization’s worldwide annual gross revenue. Wow!
But those Europeans don’t affect us – what about PIPEDA?
Wrong – All Points Relocation Canada wants people to know that GDPR does affect us. These protections apply to any organization (anywhere) that processes the personal data of EU data subjects. As one article puts it, “the regulation will affect firms both inside and outside of the EU. In fact, any company dealing with EU businesses’, residents’, or citizens’ data will have to comply with the GDPR.” So that includes any EU nationals coming to Canada. You are affected by GDPR! So you have to know about it. If you are a corporation that relocates its employees you need to know that your provider is GDPR compliant as are their sub-suppliers. And by the way, PIPEDA and GDPR are highly correlated. Regulations and breach notification provisions in PIPEDA will come into force by the spring of 2018 aligning more closely with GDPR. And PIPEDA will come with fines as well: Failure to notify the OPC of a security breach, as required by the PIPEDA provisions is an offence, punishable by a fine of up to $100,000. Zoinks!
By the way-way
By the way – did you know that GDPR considers someone’s address personal? Their address! We all process that data! Now back to the rest of the article.
The rest of the article
As relocation providers throughout the supply chain (relocation companies, movers, lawyers, destination service providers, temporary accommodation providers, etc) we perform a host of services for our clients, for which we handle data and some of that data is personal. So we do have responsibility to protect that data and that means being compliant with both PIPEDA and GDPR. All Points Relocation Canada wants to ensure its clients that it takes data security seriously and has put int he most stringent measures to keep it safe and trackable.
In short, GDPR impacts the storage, processing, access, transfer, and disclosure of an individual’s data records. Companies need to educate themselves about GDPR and top-down involvement is crucial in creating a culture of compliance. Some of the new protocols will be personal practice with private data: do not collect personal information unless authorized; do not distribute personal information unless that person has an official need to know, etc. Others will require new and significant data security investments. Others will require new relationships with existing (or new) downstream vendors. The relocation management companies have not previously “legislated” data security requirements for its downstream providers, but they have to now (if the penalties don’t get you revving, losing a great client will) and they will learn that many suppliers do not comply. Will previous business models and profit margins even allow them to comply? Things are going to change.
By the way-way #2:
Did you know that any EU citizen can ask for you to locate and erase (and prove you did it) their personal information? We have all relocated a large variety of individuals. What are the chances that just one of them will ask us for a wipe of their data? Pretty good. Do you know how to find it in your database? Now back to the rest-rest of the article.
The rest-rest of the article.
It will take a lot of effort to get companies compliant with the less technological aspects of GDPR: training our staff, notifying individuals what we are collecting and why, and ensuring that we do not distribute that information unless absolutely required. But it will be the data security investment that will be the most onerous on our industry. The security systems required are generally not in place. Up and down the relocation supply chain providers will have to invest in new ways with costs that they have not seen before. Sophisticated monitoring software, specialized security professionals and SIEM aggregation are requirements, not luxuries when it comes to privacy and relocation services.
But, if done, this means that we will have full accountability within our systems. We will know where our private data is, where it goes and have made the security investments to keep it all safe from breach.
So, GDPR is coming but you can be prepared (this is where Mike comes in).
There is more you can do to get up to speed on GDPR and PIPEDA and Mike is going to tell you how (talking about myself in the third person can’t be healthy). With the help of great colleagues on the Central Regional Committee, we have worked with CERC to organize an event that will talk to the issues of privacy and data security. Get it from the experts. All you have to do is go to the CERC Central Breakfast on Tuesday May 8, 2018.
Security doesn’t need to be scary. At this session you will learn more about these new security regimes and practical actions you can take to better protect yourself.