If you’re an employer who hires globally, you’ve likely heard rumblings about the General Data Protection Regulation (GDPR) and the effect it will have on personal data-processing technology. We’re here to chat a bit more about that and how it will affect you and your usage of Kin.
Regardless of where you are headquartered, if you hire in the EU, have current employees in the EU or store vendor data that includes personal information about individuals within the EU, GDPR compliance is not optional, it is mandatory. Not complying with certain provisions of GDPR, such as processing data in an unlawful way, can result in a fine of up to €20 million or 4% of your gross profit, whichever is more.
What is GDPR, exactly?
GDPR is a law that aims to strengthen European Union residents’ rights to privacy and protect their personal data. It will come into effect fully across all European member states as of May 25, 2018. Organizations and tools that collect personal data from EU residents must be compliant with the General Data Protection Regulation (GDPR) in order to continue conducting business within the EU.
Kin plans to be a GDPR-compliant HRIS/employee engagement tool as of the May deadline. We are currently taking all of the necessary steps within our app’s features and security surrounding said features to ensure we’re good to go. As we finalize the steps toward compliance, we’ll be sure to keep you posted via our blogs, emails and in-app messaging.
Becoming GDPR compliant is a multi-step process. It includes not only the security framework and feature reconfiguration, it also focuses allowing users (not just employers) to have access to their personal data entirely, and to have the ‘right to be forgotten,’ or RTBF, which is pivotal to GDPR.
RTBF allows employees to refuse having their data stored online as well as reserve the right to have their personal data deleted at any time within any application that their employer (or any organization) uses. Of course, there are certain pieces of information that employers who have legitimate interest can fight to keep, such as signed NDAs or other agreements between two parties that may later need to be used for arbitration. You can learn more about what you can and cannot keep as a GDPR-compliant employer here.
GDPR defines Kin’s relationships with its customers as two separate parties: data controllers or data processors. First, let’s define both of these terms.
A data controller is you. The definition of it means that your organization is determining the purposes and means of progressing personal data. IE: You’ve hired someone and now you need to have them onboarded and store personal information on them within your Kin system.
Kin is considered the “data processor.” A processor is defined as a person or agency that processes personal data on behalf of the data controller.
While Kin is making sure that its tool is GDPR compliant, it is up to your organization to be responsible in complying with GDPR requirements as the data controller.
It’s important for you to take time to understand the laws of GDPR as a data controller before it takes effect in May. Just because the tools you use are GDPR compliant, does not mean that you as a data controller are automatically compliant as well.
While Kin is not a legal consultant, we do know that great employers want to be prepared for when things change. There are a number of great resources to help you understand your responsibilities under GDPR. We’ll continue to post helpful blogs along the way, so be sure to check back often!
Here are a few other articles and posts to check out in the meantime:
What are you doing to make sure that you stay GDPR compliant?