GDPR? PDPA? These terms may sound unfamiliar to those who are not in the HR field but not foreign to HR and even Compliance professionals.
What is personal data?
Before diving into the specifics about GDPR and PDPA, the first step is to understand what constitutes personal data and why it is important to understand an individual’s rights on data protection.
Any data about an individual can be considered as personal data. This includes personal identification number, mobile phone, date of birth, home address, and personal email address.
Within the payroll context, there is a lot of sensitive personal employee information collected and stored. The onus falls on HR and the payroll department to ensure that the organisation is compliant with the respective data privacy laws and regulations and ensure that employees’ personal information is stored safely and securely.
What is GDPR and PDPA?
GDPR, which stands for General Data Protection Legislation, is a European Union (EU) law that protects the fundamental rights of data subjects whose personal information and sensitive data were stored in organisations. The law also addresses the transfer of personal data outside of the EU. This law came into effect on 25 May 2018 as governments, organisations, and individuals recognise the importance of storing and keeping personal records safely to prevent the use of personal data for illegal or fraudulent activities.
Overview of the GDPR
The GDPR is known as one of the toughest privacy and security laws in the world. While the entire regulation is over 2,000 pages long, here is a condensed overview of what the GDPR means for individuals:
Data Protection Principles
If the organisation intends to collect and process personal data, there are seven protection and accountability principles to adhere to:
- Lawfulness, fairness and transparency.
- Purpose limitation.
- Data minimisation.
- Storage limitation.
- Integrity and confidentiality (security)
Under the GDPR, data controllers or data protection officers have to be able to demonstrate that the organisation is GDPR-compliant. Some tangible ways to ensure compliance with GDPR include:
- Delegate clear data protection responsibilities within the team
- Maintain detailed documentation of data management, such as how it is used, where the data is stored, which employee is responsible for managing it etc.
- Draft up Data Processing Agreement contracts with third parties that the organisation may have engaged to process data
- Train employees and implement technical and organisational data security policies.
What does the GDPR mean for individuals?
Under the GDPR, individuals have the right to request organisations to remove their personal records or withdraw their previously given consent to provide personal data. More specifically, these individuals must be allowed to:
- Provide their consent freely, informed and unambiguous
- Withdraw their previously given consent whenever they want, and the organisation is obliged to agree
Organisations will also need to keep documentary evidence of an individual’s consent if they have agreed to provide their personal data.
How much are the fines under the GDPR?
Given that the GDPR law is meant to clamp down strictly on data privacy and security, the fines imposed are deliberately hefty for both large and small organisations. The fines are usually administered by the data protection regulator within the respective EU country. That authority will assess whether an infringement has occurred based on the below 10 criteria and determine whether is fine is warranted and in what amount:
- Gravity and nature of the infringement
- Intention – Whether the infringement was intentional or due to negligence.
- Mitigation – Whether the organisation took any actions to mitigate the damages incurred by the affected individuals as a result of the infringement
- Precautionary measures – Amount of technical and organizational preparation the organisation has in place to ensure compliance with the GDPR.
- History – past records of any previous infringements as well as compliance with past administrative corrective actions under the GDPR
- Cooperation – whether the organisation cooperated with the supervisory authority to discover and remedy the infringement.
- Data category – the type of personal data the infringement affects
- Notification – Whether the organisation proactively reported the infringement to the supervisory authority.
- Certification – Whether the organisation followed approved codes of conduct or had received previous certifications.
- Aggravating/mitigating factors – any other issues arising from the infringement, such as financial gains/losses etc.
There are two tiers of GDPR fines. The less severe infringements may result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. The more serious infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
Understanding the Personal Data Protection Act
In Singapore, the country has its own set of data protection laws, also known as Personal Data Protection Act 2012 (PDPA). The PDPA act was passed in Parliament in 2012 and regulates the processing of personal data in the private sector in Singapore.
What does the PDPA mean for individuals?
The introduction of the PDPA means that individuals have full discretion in deciding which organisation can collect their personal data, how it is to be used and whether it can be disclosed. The PDPA covers all electronic and non-electronic personal data, regardless of whether the personal data provided is accurate or not.
Who is not obliged to comply with PDPA?
While the PPDA imposes these personal data regulations on organisation in Singapore, there are certain situations in which organisations or individuals do not have to comply with these obligations:
- Any individual acting in a personal or domestic capacity
- Any public agency
- Any organisation in the course of acting on behalf of a public agency in relation to the collection, use and disclosure of the personal data
The GDPR and PDPA are both important data privacy laws that help to protect individuals’ personal data rights. For organisations, it is imperative to ensure compliance with these laws as it not only builds trust amongst employees in terms of data protection, but also prevents unauthorised utilisation of employees’ personal data for illegal activities.
Compliance is often an ongoing challenge that most organisations face and when it comes to payroll, the HR and payroll team have a critical role to play in payroll data management. Whether the organisation’s payroll is handled internally or outsourced to a third-party, organisations need to constantly stay on top of changes in data privacy laws to ensure compliance. Non-compliance can result in hefty fines to the organisation and create distrust among employees. By building a team that is well-trained to effectively manage employees’ personal recorders and putting in robust data protection measures and policies, this helps organisations to effectively safeguard against illegal and inappropriate utilisation of personal data.
If you like our content, remember to subscribe to our e-newsletter to receive the latest tips, articles, tools and exclusive promotions for payroll & HR professionals conveniently in your inbox!