The countdown is on for the biggest shake up to data protection rules in Europe and the UK – the European Union’s new General Data Protection Regulation (GDPR) will come into effect on May 25th 2018.  The driving force behind the new regulation is to improve the protection offered to European citizens in terms of how their personal data is handled.


The current privacy laws and regulations date back to 1995 when the European Union tried to harmonize the data protection laws and transfer of personal data to countries outside of the Union. Back in 1995 the internet was in its infancy, concepts like social media and cloud storage were a dream and only 1% of the European population was using the internet.

Fast forward to 2017 and those numbers have changed dramatically.  The digital world is everywhere; 49.7%, or 3,739 million of the world’s population has access to the internet and the majority of the global economy is digital. Businesses are now operating globally and processing data across borders and concerns around the security of that information have increased.

The 1995 European Directive wasn’t enforceable in each member state as it fell short of being an enforceable law. The arrival of the GDPR and it’s status as a regulation means it’s immediately enforceable in all member states. And the GDPR has been designed to fit the behaviors enabled by today’s technology yet it is general enough to protect through future innovations.

What’s changed?

Compliance sits with the business

The current regulatory backdrop places the burden of accountability on the relevant country regulatory body to ensure compliance.  Under the GDPR, companies now have to conduct their own self-assessments to make sure they are compliant.  That means an end to regulatory bodies confirming if you are compliant or not.  Instead, companies have to ensure they are in compliance and in addition that their vendors, suppliers and other partners are complying with the law. And if something goes wrong, the company will have to prove they’ve done a data protection-impact assessment to show they’ve taken the proper steps and addressed the issue.

Non-compliance penalties

Penalties just got a whole lot more with the advent of the GDPR. Previously fines for data breaches were managed on an in-country basis so the penalty was assessed by the relevant body in the country where the breach occurred. The GDPR has harmonized not only the regulations but the penalties as well.  If your company breaches the regulations the fine could be up to €20million, or 4 percent of your company’s worldwide revenue, whichever is higher. The EU will set out consistent scaled layers of sanctions depending on the severity of the offense.


Under the GDPR consent to collect data must now be obtained much more clearly and explicitly.  Automatic consent clauses in terms and conditions are no longer appropriate and crucially it must be as easy to withdraw consent, as it is to give it.

Does it apply to my US business?

The reach of the GDPR goes well beyond the borders of the 28 member states of the European Union.  Any company that stores, processes or touches data that originates in Europe will need to comply with the GDPR.  Meaning if your business collects personal information and operates within the EU, you need to take steps to comply. A recent survey by Compuware found that 52% of large US companies acknowledge that they possess EU customer data, which means they’ll need to comply with GDPR.

Many businesses will be examining their business practices in the context of customer data, but the regulations extend to all data including business areas like HR and payroll where internal data is covered too. So if you’re an HR or payroll professional this new regulation impacts your business area if your employer does business in the European Union or employs individuals from the EU.

How does it impact HR and payroll?

Under the new consent regulations, individuals have to have a genuine choice and ongoing control over how you use their data and you have to ensure your organization is transparent and accountable. So does your current employee contract suffice or will a new GDPR consent form be required? This personal data must also be protected against unauthorized access.  It’s likely your mind turns to IT security and hacking and so forth at this point, but you need to consider who within your organization has access to personal data in order to do their jobs. Is there anyone who could access information and result in a breach.  For example, IT security can often access all files, but to be GDPR compliant new processes may need to be put in place.

Under the GDPR you’re responsible for knowing what data is relevant, where it is held, how it is protected and how the data can legally be made accessible. And beyond your internal organization you need to consider systems vendors, partners, consultants who help your business function, as they are required to be GDPR compliant as well.

When it comes to international payroll, World First has partnered with a number of leading payroll providers to simplify the process.  The two common routes when it comes to paying overseas staff are running multiple bank accounts in multiple currencies, or sending payments direct to their local accounts. The World First solution eliminates the various wire and bank fees incurred when funding multiple accounts and provides a transparent margin on the exchange rates required to pay overseas accounts. They enable you to fund a single account and they then make the multiple currency payments to fulfill your payroll obligations. World First has taken the necessary steps to ensure that their solution for international payroll is GDPR compliant so businesses can be confident they’re meeting their obligations when it comes to system vendors and partners.

After May 2018

There’s no doubt that getting organized and meeting the new GDPR regulations will be demanding for businesses. The GDPR represents a significant shift in the way personal data is handled, processed and secured and it has far-reaching consequences for HR and payroll professionals.  However, as individual data privacy rights become ever more important, businesses that are already prepared to protect data are less likely to miss out on future business opportunities from around the world.