General Data Protection Regulation (GDPR) Takes Effect

PayNorthwest Helps You Comply with the EU’s New Data Protection and Privacy Regulations

A new personal data and privacy law, the General Data Protection Regulation (GDPR), goes into effect this week, affecting all organizations who offer goods or services to, or collect data about, EU residents. Adopted in April 2016, the regulation aims to give control of personal data to anyone based in the EU and to simplify the regulatory landscape for organizations doing business in the EU.

GDPR regulations apply to data controllers, which are organizations that collect data, as well as data processors, organizations that process data on behalf of data controllers. Employers are, by nature, data controllers since employee information is required to execute business functions such as onboarding, payroll and performance management. PayNorthwest has taken steps to ensure that our software and data processing practices are compliant for any of our clients impacted by GDPR regulations.

How Does GDPR Affect US-based Companies?

GDPR applies to any organization that does business with or collects data about EU residents, regardless of the organization’s physical location or the citizenship of the data subject. Beginning on May 25, 2018, US-based companies that do business with EU residents must be GDPR compliant, which includes:

• Giving users access to review, correct, export, and delete their data.
• Establishing procedures to protect, obtain consent for, and keep records of user data that the organization processes.
• Notifying the affected users of a data breach within 72 hours if the breach affects the user’s privacy.
• Employing and training cybersecurity professionals in some cases.

PayNorthwest Is Ready

By utilizing a cloud-based HRIS system with employee self-service capabilities, employers are already giving their employees transparency and the ability to update personal information within the scope of the individual’s role in the organization.

In addition, our software partners at Kronos engaged TrustArc, a 20-year veteran of privacy compliance and risk management, to assess current practices and identify enhancements necessary to come into compliance with GDPR.

Key components of TrustArc’s recommendations and PayNothwest’s readiness to comply with GDPR include:

• An updated Cybersecurity Incident Response Plan, which defines the processes necessary to detect, investigate, contain, and remediate security incidents involving personal information.
• Business practices that keep appropriate records of data processing activities carried out on behalf of our clients.
• Updated data flow documentation including a log of the location and purpose of data access.
• Ongoing compliance monitoring and reporting provided by TrustArc.

Please reach out to your PayNorthwest Customer Service Representative if you have any questions or concerns around GDPR, or contact us at info@paynorthwest.com to learn more about how our cloud-based HRIS system enhances your organization’s ability to comply with evolving privacy regulations.