As the General Data Protection Regulation’s May 25, 2018 compliance date draws closer, GDPR-related activity continues in the various EU Member States.
EU Member States are continuing their work on the national legislation needed to exercise the discretion left to the Member States on many issues by the GDPR, including processing in the context of employment (GDPR Art. 88).
According to a recent article, as of March, only four of the 28 EU Member States had finished enacting GDPR legislation (Austria, Belgium, Germany, and Slovakia). Of the remaining 24 Member States, 16 had draft bills and eight had not yet even published draft bills (the EEA countries were not included in the survey).
Member State data protection authorities (DPAs) also are issuing guidance on various aspects of GDPR compliance (this is in addition to guidance issued by the Article 29 Working Party on behalf of all of the DPAs). The Polish DPA, the GIODO, for example, recently issued draft guidance, which is open for public comment until April 28th, with a list of processing activities for which the DPA believes mandatory data protection impact assessments will be required under GDPR Art. 35. This list includes a number of employment-related activities – an important item of note for human resources professionals.
Similarly, on April 4th, the French Data Protection Authority, the CNIL, published new guidance on steps that organizations should take to comply with the GDPR’s data security requirements (GDPR Art. 32). Even if your organization is not subject to the authority of the French or Polish DPAs, the guidance may be instructive nevertheless for organizations continuing to refine their GDPR compliance strategies.