Making waves when it first came out, the General Data Protection Regulation (GDPR) has become a mainstay in global data privacy law. Since it entered into force, many countries across the world have enacted their own data protection legislation.
For example, Canada has its Digital Charter Implementation Act, and New Zealand updated its 1993 legislation with the Privacy Act 2020. In the US, however, data privacy laws are still in their infancy.
While these may not seem relevant to your business if you don’t regularly handle large amounts of data, the GDPR and other privacy protection laws are crucial to employers. All companies collect data on their employees, making them data controllers. As such, they must adhere to the laws set out in these documents.
In the case of the GDPR, employers must sufficiently protect the data privacy of EU citizens whether or not they operate in the EU. Read on to understand how the GDPR affects your business and how you can hire European talent in compliance with this regulation.
What Is the GDPR?
The General Data Protection Regulation (GDPR) entered into force on May 25, 2018. The GDPR is a set of guidelines and policies that govern personal data privacy across the European Union (EU). The main goal of the GDPR is to unify and harmonize data privacy protection across the many states that comprise the union.
Seven crucial principles govern the GDPR:
- Lawfulness, Fairness, and Transparency
- Purpose Limitation
- Data Minimisation
- Accuracy
- Storage Limitations
- Integrity
- Confidentiality
Did you know that identity theft occurs about every two seconds? That’s why these data protection rules are crucial for protecting individuals’ data in Europe and beyond. These principles guide the clauses outlined in the regulation to protect EU citizens’ data from being used unlawfully and without their consent.
Understanding GDPR Terminology
It can be difficult to navigate the legalese of GDPR. So, here is a quick list of important terms you should know to understand the rules and your responsibilities under the GDPR.
Data subject
A data subject is a natural person whose data is being collected. This can be any individual, but in the case of companies, it’s usually a customer, user, employee, or contact.
Personal data
This is data that can be tied to a given identifiable person. It could relate to their personal, professional, or public life. Personal data can include (but isn’t limited to) photos, email, phone numbers, medical information, social media posts, IP address, home address, etc.
Data controllers
Any organization that collects and holds personal data is a data controller. They are responsible for the data they control and manage it per regulations. For example, as an employer, you collect your employees’ data. This makes you a data controller.
Data processors
A data processor takes data from a data controller and uses it. For example, a payroll, data analytics, or market research company may be a data processor.
Data protection officer
A data protection officer or DPO is a role that an organization must designate in one of two cases. First, any public authority that processes data must have a DPO. Second, if an organization regularly and systematically monitors data subjects on a large scale OR if the organization processes data about criminal convictions on a large scale, they must also designate a DPO.
Data portability
This refers to the right of a data subject to request data from the data controller/processor in a format that is easy to reuse elsewhere. In the GDPR, this only applies in the case of automated data processing.
What Does GDPR Mean for Your Business?
Your business can be based somewhere other than Europe to feel the impact of GDPR. As stated in Article 3 of the GDPR, the rules apply to data processors in and outside of the European Union as long as they are processing the personal data of EU citizens.
This means that if:
- You, as a data controller or a data processor, process data of EU subjects to offer goods or services or to monitor their behaviors; you are subject to GDPR.
The law also applies to those companies not established in the Union but in areas where Member State law is applicable under international law. This, for example, refers to a diplomatic mission or consular post.
What Types of Data Does GDPR Cover?
The GDPR is a comprehensive set of regulations covering any type of personal data identifiable to an individual. This includes regular data and sensitive personal data. GDPR scope includes but isn’t limited to the following.
- Basic personal information: names, addresses, phone numbers, email addresses, and other similar identifiers
- Identity information: data such as government-issued identification numbers (e.g., social security or national ID numbers), passport information, and driver's license details
- Contact information: mailing addresses, phone numbers, email addresses, and the like
- Financial information: data related to financial transactions, bank account numbers, credit card details, and other financial records
- Health and medical data: information about an individual's health, medical history, and healthcare services received
- Genetic and biometric data: unique biological characteristics such as fingerprints, DNA, and facial recognition data
- Web and electronic data: IP addresses, cookies, and other digital identifiers used for online tracking and behavior analysis
- Employment and professional information: data related to an individual's job, employment history, job title, and workplace
- Racial or ethnic data: information about an individual's race, ethnicity, and related details
- Political and religious beliefs: data about an individual's political opinions, religious beliefs, and other philosophical affiliations
- Sexual orientation and gender identity: Information about an individual's sexual orientation or gender identity.
- Criminal records: details about an individual's criminal history, convictions, and related legal matters
What Happens If You Don’t Comply with GDPR Requirements?
In 2022, European authorities issued EUR1.64bn (USD1.74bn) worth of fines — a 50% year-over-year increase — in response to GDPR violations.
Instagram and Facebook were hit by large fines from the Irish Data Protection Commission in response to their profiling practices.
Data protection supervisory authorities have also rigidly assessed cross-border information transfers. This has been a move to protect European citizen data from being accessed by foreign government authorities once out of the Union.
In 2023 and beyond, the GDPR will likely tackle issues related to AI and the use of personal data in AI training.
But authorities don’t just focus on large organizations when it comes to GDPR compliance. As of August 2023, authorities had issued over 1,700 fines for various reasons. This includes things like not having sufficient grounds for data processing, failure to comply with data processing agreements, ineffective collaboration with supervisory authorities, and a general lack of compliance with the GDPR.
As such, companies must protect data protection impact assessments before they get in trouble with EU authorities.
Countries in Europe that Have Adopted the GDPR
All 27 EU countries as well as Iceland, Liechtenstein, Norway, and the United Kingdom, have adopted the GDPR. The GDPR applies in these countries and territories governed by the laws of these countries as per international law. For example, this includes embassies and consulates. In addition, any company doing business or collecting data on natural persons from any EU country or the UK must also follow the GDPR regulatory requirements.
- Austria
- Belgium
- Bulgaria
- Croatia
- Cyprus
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Greece
- Hungary
- Iceland
- Ireland
- Italy
- Latvia
- Liechtenstein
- Lithuania
- Luxembourg
- Malta
- The Netherlands
- Norway
- Poland
- Portugal
- Romania
- Slovakia
- Slovenia
- Spain
- Sweden
- United Kingdom
Countries in Europe that Have NOT Adopted the GDPR
Most countries in Europe but not part of the European Union do not follow the GDPR standards. They may, however, have their own data privacy laws that may or may not be similar to the GDPR. Again though, if a company based in these countries collects and processes data about EU citizens, GDPR compliance is mandatory.
- Albania
- Belarus
- Bosnia and Herzegovina
- Kosovo
- Moldova
- Monaco
- Montenegro
- North Macedonia
- Russia
- Serbia
- Switzerland
- Turkey
- Ukraine
GDPR and Hiring: What Does It Mean for Employers in the EU?
If you plan to hire a citizen from an EU member state or other countries where the GDPR applies, you’ll need to do so in compliance with its regulations. This means that you have to restrict processing when it comes to the data of these citizens according to the regulations stated in the policy. You must also protect your systems from data breaches.
As an employer, you collect data from both candidates and your employees. Any time you receive a resume, you gain access to a wealth of personal data, including the person's contact information, name, employment history, and more. Then, during the hiring process, you might run a background check or require a criminal record check, giving you access to sensitive personal data.
Once you hire an employee or even engage an independent contractor, you’ll collect their sensitive financial data for payment purposes. You will also get ID information, taxpayer information, and other data to process payroll.
All in all, this means that as an employer, you are a data controller. Most likely, you won’t become a data processor when it comes to employee data, as you won’t be using this information to collect stats. Even so, you must protect this data. Systematic monitoring and gap analysis can help you ensure that you have the right systems in place for GDPR compliance. If necessary, you may also assign a DPO within your organization if you systematically collect and process large volumes of data in the corresponding countries.
Countries with Policies Similar to the GDPR
As the amount of data the world generates grows exponentially, more countries are adding data privacy regulations to their legislatures. Several countries have strict data protection laws similar to the GDPR. Here are some examples that employers should be aware of.
- Argentina: Argentina's Personal Data Protection Act (PDPA) shares some commonalities with the GDPR, particularly concerning data subject rights and obligations for data controllers and processors.
- Australia: Australia's Privacy Act has some similarities to the GDPR, particularly regarding data subject rights and personal data regulation.
- Brazil: Brazil introduced the General Data Protection Law (LGPD - Lei Geral de Proteção de Dados), which came into effect in September 2020. It shares many similarities with the GDPR, such as rights for data subjects and requirements for data processing.
- California, USA: Although not a country, California has introduced the landmark California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Both of these draw inspiration from the GDPR regarding data privacy and individual rights.
- Canada: Canada's Digital Charter Implementation Act, especially the Consumer Privacy Protection Act contained therein, includes data protection and privacy elements that align with GDPR principles.
- India: India has recently passed the Personal Data Protection Bill, which has been in the works for a few years. It contains certain provisions that echo GDPR principles.
- Japan: Japan's Act on the Protection of Personal Information (APPI) has some similarities with the GDPR, especially regarding data subject rights, data transfers, and consent requirements.
- South Korea: South Korea has the Personal Information Protection Act (PIPA) which incorporates principles similar to those found in the GDPR, including data subject rights and requirements for data processing.
- Switzerland: Switzerland's new Federal Act on Data Protection (nFADP) will introduce several changes to the previous 1992 legislation. It will enter into force on September 1, 2023, and aligns with certain GDPR principles, especially concerning the protection of personal data and data subject rights.
This list only includes a few illustrative examples, so employers should always verify the types of legal frameworks in place when they decide to hire abroad.
Ensure Compliance with an Employer of Record Like Borderless
Worried about GDPR compliance when hiring in the EU? Work with an Employer of Record (EOR) like Borderless to avoid the headaches associated with data privacy laws.
An EOR acts as the legal employer on your behalf. We become the data collector for your employees in GDPR-compliant countries and ensure that data is properly collected, stored, and managed throughout its lifecycle.
If you are a company operating outside the EU, you don’t need to worry about GDPR compliance even when hiring top European talent.
Borderless takes care of every legal detail. Not only do we ensure GDPR compliance, we also take on local employment laws and regulations, global payroll processes, immigration, and visa issues, and generally facilitate your global HR expansion.
Book a demo today to learn how to seamlessly hire in Europe and 170+ countries worldwide.
