Workforce Compliance Archives - Page 4 of 5 - Insights - PeopleScout RPO

Compliance Corner: Sexual Harassment

Posted on October 25, 2018December 16, 2022 by epadmin

Earlier this year, New York state signed the 2019 State Budget which updated the state’s sexual harassment laws.

The legislation lays out several new requirements all employers must meet in their sexual harassment policies.

The policies must prohibit sexual harassment consistent with guidance issued by the Department of Labor in consultation with the Division of Human Rights;
Provide examples of prohibited conduct that would constitute unlawful sexual harassment;
Include information concerning the federal and state statutory provisions concerning sexual harassment, remedies available to victims of sexual harassment, and a statement that there may be applicable local laws;
Include a complaint form;
Include a procedure for the timely and confidential investigation of complaints that ensures due process for all parties;
Inform employees of their rights of redress and all available forums for adjudicating sexual harassment complaints administratively and judicially;
Clearly state that sexual harassment is considered a form of employee misconduct and that sanctions will be enforced against individuals engaging in sexual harassment and against supervisory and managerial personnel who knowingly allow such behavior to continue; and
Clearly state that retaliation against individuals who complain of sexual harassment or who testify or assist in any investigation or proceeding involving sexual harassment is unlawful.

As a part of the law, every employer in the state must provide sexual harassment prevention training that includes the following minimum requirements:

The training must be interactive;
Include an explanation of sexual harassment consistent with guidance issued by the New York Department of Labor in consultation with the Division of Human Rights;
Include examples that would constitute unlawful sexual harassment;
Include information concerning the federal and state statutory provision concerning sexual harassment and remedies available to victims of sexual harassment;
Include information about employees’ rights of redress and all available forums for adjudicating complaints; and
It must include information addressing conduct by supervisors and any additional responsibilities for supervisors.

Employees need to complete this training annually, and it must be provided in the language spoken by employees.

Employers have until October 9, 2019, to comply with the training requirements. The policy requirements became effective on October 9, 2018. Employers can learn more about the state’s website. The website includes a model sexual harassment prevention policy, sexual harassment training script, sexual harassment complaint form, additional explanations of employers’ legal obligations, and FAQs about the new requirements.

Organizations with employees in New York state should evaluate and update their sexual harassment policies to meet the new requirements. Additionally, employers should watch for additional requirements in other jurisdictions as state legislatures respond to the #MeToo movement.

Compliance Corner is a feature on the PeopleScout blog. At least once a month, we’ll be featuring a compliance issue that’s in the news or on our minds. Understanding the patchwork of labor laws across the world is complicated, but it’s part of what we do best. If you have questions on the compliance issue discussed in this post, please reach out to your PeopleScout account team or contact us at marketing@peoplescout.com.

Compliance Corner: Department of Labor Office of Compliance Initiatives

Posted on September 19, 2018December 16, 2022 by epadmin

In August, the U.S. Department of Labor announced the new Office of Compliance Initiatives to promote greater understanding of federal labor laws and regulations to help employers prevent violations.

According to the Department of Labor press release, the office will reside within the Office of the Assistant Secretary for Policy and its work will include:

Facilitating and encouraging a culture that promotes compliance assistance within the Department
Providing employers and workers with access to high-quality, up-to-date information about their obligations and rights under federal labor laws and regulations
Assisting enforcement agencies in developing new strategies to use data for more impactful compliance and enforcement strategies
Enhancing outreach to stakeholders for the Department’s enforcement agencies

The Department also announced two new websites aimed at providing compliance assistance:

worker.gov provides information about worker’s rights and common workplace concerns
employer.gov provides information about the responsibilities of job creators toward their workers and answers common questions

According to the National Law Review, the websites do not provide a comprehensive listing or analysis of all rights and responsibilities that exist under every federal employment and labor law, but they do address topics that fall outside the jurisdiction of the DOL, such as employment discrimination laws that are enforced by the U.S. Equal Employment Opportunity Commission (EEOC).

Because the Office of Compliance Initiatives is so new, we have yet to see its full impact; however, employers and employees can consider it a resource for compliance issues.

Compliance Corner: California Consumer Privacy Act of 2018

Posted on August 15, 2018December 16, 2022 by epadmin

Earlier this year, the governor of California signed into law the California Consumer Privacy Act of 2018, one of the toughest data privacy laws in the U.S. It takes effect in 2020.

The law is similar to the GDPR. The EU General Data Protection Regulation requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.

The California law applies to most companies that collect the data of Californians, and it expands the definition of what is considered personal information, including behavioral and profiling data and professional and personal background data.

Under the new law, consumers in California are guaranteed the following rights:

“To know what personal information is being collected about them”
“To know whether their personal information is sold or disclosed and to whom”
“To say no to the sale of personal information”
“To access their personal information”
“To equal service and price, even if they exercise their privacy rights”

The law requires any business that collects a California consumer’s personal information to disclose the categories and specific pieces of personal information that have been collected and the purposes for which the information will be used if the person requests.

If a person requests their information, the business must provide access to it in a format that allows that data to be transmitted to another entity. A person may also opt-out of the sale of any of their information.

Businesses must also delete a consumer’s personal information if that person requests, unless the information is necessary for the business to complete a transaction, detect security incidents or protect against fraud, repair errors, protect free speech, engage in research or comply with other California laws.

Businesses who have changed policies to align with GDPR may need to make additional changes to come into compliance with California’s law, and should work with an attorney to determine the next steps.

Compliance Corner: Ban the Box Update

Posted on July 18, 2018December 16, 2022 by epadmin

Earlier this year, the governor of Massachusetts signed into law An Act Relative to Criminal Justice Reform that makes several modifications to the state’s “ban the box” law.

The law, which goes into effect in October 2018, adds additional restrictions about which criminal convictions an employer can consider and how employers can consider other convictions.

Under the new law, employers cannot ask applicants about misdemeanor convictions where the date of that conviction or the completion of incarceration occurred three years before the date the person applied, unless the person has been convicted of another offense in the past three years.

Additionally, employers cannot ask applicants about criminal records that have been sealed or expunged. Any request for criminal record information must also include this statement: “An applicant for employment with a record expunged pursuant to section 100F, section 100G, section 100H or section 100K of chapter 276 of the General Laws may answer ‘no record’ with respect to an inquiry herein relative to prior arrests, criminal court appearances or convictions. An applicant for employment with a record expunged pursuant to section 100F, section 100G, section 100H or section 100K of chapter 276 of the General Laws may answer ‘no record’ to an inquiry herein relative to prior arrests, criminal court appearances, juvenile court appearances, adjudications or convictions.”

Any employers who hire in Massachusetts should review their current practices with an attorney. With the growing popularity of “ban the box” laws and the variance between jurisdictions, employers should closely watch any developments and adjust their policies accordingly.

You can read our previous blog post on “ban the box” laws below.

California is the latest state to enact a “ban the box” law. The governor recently signed a bill that prevents private employers from asking about applicants’ criminal conviction histories on the employment application. It went into effect on January 1, 2018.

“Ban the box” refers to the box on applications requiring applicants to reveal their criminal history. The law requires employers with more than five employees to not request or consider a candidate’s conviction history until a conditional offer has been made. California already had a “ban the box” law on the record that applies to state agencies, cities and counties. This law expands that to the private sector.

More than 150 cities and 29 states have enacted some form of a ban the box law. The laws are intended to push a background check later into the hiring process so that employers consider an applicant’s qualifications before their criminal history.

While California’s law does not require employers to justify or explain their decision not to employ someone based on their criminal history, New York City’s law requires employers to justify rescinding a conditional offer based on criminal history. Different cities, states and counties have different requirements as to when employers can request a criminal history or run a background check and what they can do with that information. If an employer runs a background check after a conditional offer has been made, care must be taken before any adverse decision is made as there are strict regulations governing this process.

With the growing popularity of ban the box laws, employers need to be prepared for the patchwork of legislation, and they cannot rely on a one-size-fits-all approach.

If you want to read more about compliance-related issues, check out our other Compliance Corner blog posts on predictive scheduling, salary history, paid sick leave and New York City’s Freelance Isn’t Free law.

Leveraging Offshore Delivery Centers to Drive Improved Compliance and Recruitment Results

Posted on July 13, 2018December 16, 2022 by epadmin

Offshore delivery centers are a growing tool in talent acquisition. Historically, these centers have been leveraged for the cost efficiencies they brought to business process outsourcing programs. More recently, Offshore delivery centers are being used to strengthen compliance, drive broader operational efficiencies and improve recruitment performance. The change is driven by an increasingly globalized workforce, a competitive recruiting landscape and increased risk due to a complicated patchwork of compliance regulations.

Positive economic growth in the U.S. and around the world is making it more difficult to find and attract the talent necessary to stay ahead in the global economy. A skills shortage brought on by automation is making the process even more difficult. Low unemployment rates mean candidates have a lot of choices, so employers need to meet candidate expectations during the recruitment process to hire top talent.

However, the compliance landscape is becoming more complicated. The patchwork of compliance laws across the U.S. is complicated and constantly changing. That, combined with increased employment class-action litigation, leaves employers facing extraordinary risk. This means employers not only have to provide a strong candidate experience, but they also have to account for the variety of regulations that apply.

To overcome these obstacles, employers and RPO providers are engaging offshore delivery centers to manage parts of the recruitment process. These delivery centers are effective because combined with an innovate technology solution, they can drive efficiencies and ensure compliance through strict adherence to workflows. In this blog post, we will cover the benefits of offshore delivery models in dealing with policy and regulatory compliance issues, how these models fit with a technology solution and how to find an RPO partner with global delivery expertise.

Supporting Policy and Regulatory Compliance

There are three major benefits to an offshore delivery center: cost, operational efficiency and ensure compliance. In addition to cost-savings realized through a global delivery center, technology, workflow and audit operations can be orchestrated to drive operational efficiency, as well as compliance with corporate and regulatory guidelines. Below are a few ways in which global delivery centers can improve the hiring process.

Background Screening and Drug Testing

Standardized corporate policies requiring completed background investigations and drug tests have been the norm across large employers in the U.S. However, the proliferation of different state and local laws regarding the use of criminal background investigations in the hiring process and the variations in the legal treatment of the use of marijuana in different jurisdictions have injected significant complexity into hiring practices. Employers faced with the need for different drug testing criteria and background investigation procedures can encode and apply variegated workflows for different jurisdictions, without a significant increase in compliance cost or risk, when these are initiated, executed and audited at an offshore delivery center.

Properly Written Job Requisitions

An offshore delivery center can be used to ensure that every job requisition is complete and compliant. Hiring manager or recruiter errors frequently undermine the effectiveness, policy adherence and regulatory compliance of job descriptions. A common approach to this issue has been to force the posting of only static, unchangeable job descriptions that are pre-approved. Times have changed, and it is more important than ever to allow hiring managers to highlight differentiators and add information that will attract the best from a very limited candidate pool. A compliance review of every job description prior to posting or distributing a job description is an essential step in ensuring compliance with OFCCP and other regulatory criteria fixed elements like accurate compensation ranges, and ensuring a minimum acceptable quality level.

Building Global Compliance Teams

As many organizations turn to a global sourcing and recruitment model, an offshore delivery center can be used to quickly and easily set up compliance standard operation procedures for each country in which an organization operates. Because each team is only focused on one set of regulations and they follow a set procedure, the teams can avoid the confusion that arises from dealing with a variety of regulations in different countries. This system can ensure compliance for companies with a large global presence.

Increased Diversity and Decreased Bias

Offshore delivery centers can also be used to increase diversity and decrease bias throughout the recruitment process. For one organization that takes advantage of PeopleScout’s offshore delivery center in Gurgaon, candidates first take an online assessment and are then screened by staff at the center against criteria specified in the job descriptions and subsequently slated for recruiter and hiring manager review. This process reduces the possibility of bias, and translates to a more diverse slate of qualified candidates and reduced risk of discrimination.

Supporting Improved Recruitment Results

In addition to helping create a compliant recruitment program, offshore delivery centers can also improve recruitment results and candidates experience.

Posting to Community and Diversity Job Boards

Most well-known job boards take XML feeds, which allows distribution to be automated. However, job boards like those run by community churches or local unions sometimes still require someone to reach out personally. When an employer has a large volume of open positions, posting to these types of boards can take a lot of recruiter time and the process becomes prohibitively expensive. When an offshore delivery center handles this type of posting, organizations don’t leave these candidates on the table. Additionally, these job boards are also often a source of diverse candidates, which improves diversity hiring.

Timeliness

To keep up with candidate expectations, employers need a fast recruitment process. An offshore delivery center can speed up the process of candidate engagement through procedures designed to accelerate the strongest candidates through to interviews and offers. For one client that takes advantage of PeopleScout’s global delivery center in Gurgaon, India, PeopleScout has met 100 percent of all timeliness metrics for the past three years for tens of thousands of annual hires by engaging with candidates 24 hours a day.

Building a Diverse and High Performing Workforce

In addition to the tangible benefits during the recruitment process, an offshore delivery center also provides the benefits of a diverse and global workforce, including creative new ideas and perspectives and higher productivity. At PeopleScout, employees in our offshore delivery centers in India have provided unique insights and ideas, assisting teams in the U.S. and Canada. In one instance, a recruiter with an educational background in quantitative sciences was able to provide insights that led to the deployment of a local work allocation system that significantly reduced the time it takes us to screen new applicants.

In specialized fields of endeavor, recruiters with specific knowledge and educational expertise are better equipped to screen and select candidates. While it would be prohibitive and less likely to engage engineers, programmers, chemists and other professionals as recruiters in the U.S. and most of Europe, offshore delivery centers have allowed forward-thinking RPO firms to build recruiting teams with these skilled professionals.

Technology and the Offshore Delivery Model

Finding the Right Balance

Innovative technology, including AI, is an important part of any recruiting program. A typical talent acquisition technology stack now includes an ATS, an integrated CRM platform and a myriad of other tools. We have never been better positioned to use analytics to help us make decisions and drive better recruiting outcomes. Striking a balance is important to ensure that we arrive at outcomes that are aligned to organizational goals and are within regulatory guardrails. For instance, using a technology-enabled first-pass to screen requisitions can ensure that a job description is accurate across objective features. That can be followed by a human second-pass screen to review flagged areas and screen more subjective areas of the job description like ensuring that the basic qualifications for the job description are defensible from a compliance standpoint. Another example concerns the use of artificial intelligence-enabled systems to source candidates. All such systems run the inherent risk of allowing biases inherent in prior hiring decisions to perpetuate and amplify across future recruiting efforts. Allowing for a recruiter-led review of systems generated results ensures that all good candidates are appropriately considered. Global delivery centers allow for efficient ways to address the required balance between systems and human interactions across the recruiting life-cycle.

Stepping up Where AI Falls Short

Offshore delivery centers can also take on tasks that AI and automation aren’t able to do yet. For instance, when a new law goes into effect that impacts the recruiting process in a certain region, a new standard operating procedure can be established and deployed in an offshore delivery center within hours. Making that change across a complex technology stack would involve multiple rounds of programming and testing, which would take more time and amplify the risk of compliance issues until deployment.

Finding a Partner

An RPO provider is a valuable partner for organizations looking to take advantage of the benefits of an offshore delivery center. RPOs have expertise in managing clients across the spectrum of compliance needs, so they can quickly implement a customized plan. That experience also means that RPO providers can pivot quickly to address any change in the compliance landscape, developing a standard operating procedure and applying it to any client who may be impacted.

As you’re looking for an RPO partner with offshore delivery capabilities, be sure to assess their ability to address cost, operations, and compliance efficiencies across the entire talent acquisition model.

Compliance Corner: Arbitration Agreements

Posted on June 20, 2018September 6, 2024 by epadmin

Earlier this year, the U.S. Supreme Court ruled in favor of employers that use arbitration agreements that include class action waivers. In the event that an employee believes they have a lawsuit against an employer, this agreement provides that the dispute will be resolved through individual arbitration and never as a collective or class action.

The court ruled 5-4 in Epic Systems Corp. v. Lewis that if workers were allowed to band together to press their claims, “the virtues Congress originally saw in arbitration, its speed and simplicity and inexpensiveness, would be shorn away and arbitration would wind up looking like the litigation it was meant to displace.”

For employers, arbitration is beneficial because it is less expensive and quicker. It is also private and confidential as well as more absolute since there are fewer avenues to appeal a ruling.

However, the court did explicitly state that legislators could change the status quo, with Justice Neil Gorsuch writing, “The respective merits of class actions and private arbitration as means of enforcing the law are questions constitutionally entrusted not to the courts to decide but to the policymakers in the political branches where those questions remain hotly contested.”

Due to this ruling, employers should consult with an attorney and consider adding an arbitration agreement in the onboarding process. However, employers should keep in mind that at some point, the practice could change due to legislation.

Justice Ruth Bader Ginsberg in her dissent called for the U.S. Congress to act, writing, “The inevitable result of today’s decision will be the underenforcement of federal and state statutes designed to advance the well-being of vulnerable workers.”

Before the ruling, the Ending Force Arbitration of Sexual Harassment Act of 2017 was introduced to the Senate; however, at this point, Congress has yet to take action.

Compliance Corner: Worker Classification in the Gig Economy

Posted on May 16, 2018September 11, 2024 by epadmin

Earlier this year, a California court ruling established a three-part test that provides the criteria an organization must meet for a person to be considered an independent contractor and not an employee.

The 7-0 ruling by the California Supreme Court in Dynamex Operations West, Inc. v. Superior Court of Los Angeles laid out the following criteria to determine who may be classified as an independent contractor in cases involving minimum wage and overtime payments:

(A) “that the worker is free from the control and direction of the hirer in connection with the performance of the work, both under the contract for the performance of such work and in fact;
(B) that the worker performs work that is outside the usual course of the hiring entity’s business; and
(C) that the worker is customarily engaged in an independently established trade, occupation, or business of the same nature as the work performed for the hiring entity.”

In the ruling, if the worker does not meet all three criteria of the ABC test, then that worker is presumed to be an employee.

Previously, courts had relied on the decision in S.G. Borello & Sons, Inc. v. Department of Industrial Relations which adopted the “control-of-work” test that asks “whether the person to whom service is rendered has the right to control the manner and means of accomplishing the result desired.”

However, the court decided that the Borello test “makes it difficult for both hiring businesses and workers to determine in advance how a particular category of workers will be classified, frequently leaving the ultimate employee or independent contractor determination to a subsequent and often considerably delayed judicial decision.” The result of such circumstances “often leaves both businesses and workers in the dark with respect to basic questions relating to wages and working conditions that arise regularly, on a day-to-day basis.”

With the growth of the gig economy, this has significant implications for organizations in California that use independent contractors to provide a core product or service.

Organizations in California should evaluate whether any independent contractors need to be reclassified as employees.

Compliance Corner: Salary History Update

Posted on April 17, 2018September 10, 2024 by epadmin

In April, a federal appeals court ruled that salary history cannot be used to justify paying a woman less than a man for doing similar work under the Federal Pay Equity Act. The ruling in Rizo v. Fresno County Office of Education covers California, Oregon, Washington, Nevada, Arizona, Alaska, Hawaii, Idaho and Montana.

U.S. Circuit Judge Stephen Reinhardt wrote the majority opinion for the 11-judge panel for the Ninth Circuit Court of Appeals.

“The Equal Pay Act stands for a principle as simple as it is just: Men and women should receive equal pay for equal work regardless of sex,” Reinhardt wrote. “The question before us is also simple: Can an employer justify a wage differential between male and female employees by relying on prior salary? Based on the text, history and purpose of the Equal Pay Act, the answer is clear: No.”

Both California and Oregon have standalone salary history bans, but employers in all states covered by this ruling should review their salary history policies to comply with this ruling.

You can read our previous blog post on salary history bans below:

Oregon is the most recent state to pass legislation banning employers from asking about a candidate’s salary history. The laws are growing in popularity, intended as a way to promote pay equality by imposing limitations on how employers can use a worker’s previous salary as a benchmark to set compensation.

In Oregon, the ban on salary history inquiries is a part of the state’s larger Equal Pay Act. The law prohibits employers from screening candidates based on their salary history, and it also prevents organizations from setting pay based on past or current salary.

Delaware passed a similar law. The law does allow applicants to provide the previous salary information if they want, but an employer cannot request it. Additionally, it allows an employer to request salary history after an offer including compensation has been extended. Any employer who fails to comply with the law will have to pay a civil penalty of $1,000-$5,000 for the first offense, and as much as $10,000 for each subsequent violation.

Various other states, as well as Puerto Rico, have enacted similar bans, as well as some cities like Philadelphia and New York City. Employers in these areas should review their salary history policies to make sure they comply with the local laws.

Many of these laws have not yet taken effect. Philadelphia’s salary history ban was set to take effect in May, but it was put on hold due to a pending lawsuit. New York City’s ban is set to begin in October. Many of the more recent measures don’t take effect until late 2017 or even as late as 2019. This gives employers some time to prepare, but considering the current popularity of these laws and pending legislation, companies should expect even more changes.

Compliance Corner is a new feature on the PeopleScout blog. At least once a month, we’ll be featuring a compliance issue that’s in the news or on our minds. Understanding the patchwork of labor laws across the world is complicated, but it’s part of what we do best. If you have questions on the compliance issue discussed in this post, please reach out to your PeopleScout account team or contact us at marketing@peoplescout.com.

Compliance Corner: CAN-SPAM, CASL and More

Posted on March 26, 2018December 16, 2022 by epadmin

Laws around the world regulate how businesses and employers can interact with individuals through emails. While many marketing teams deal with these regulations every day, they also apply to talent acquisition teams that engage with candidates through email. Different countries have different laws, so this post will cover the laws in the United States, Canada and Australia. If you’re emailing candidates in other countries, you should review any applicable anti-spam legislation.

United States: CAN-SPAM

CAN-SPAM, Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, regulates commercial messages in the United States. Commercial messages promote a product or a service—including one-off and mass email sends. It does not apply to transactional or relationship content, which are emails about an already agreed upon transaction. Here’s what it requires:

You cannot use false or misleading header information, including “From,” “To,” “Reply-To” and routing information must be accurate and identify the person or business who initiated the message.
You cannot use deceptive subject lines.
The message must include your valid postal address.
You must include an option to opt-out of future emails and you must honor those opt-out requests within 10 days.
For every email you send in violation of CAN-SPAM, you can be fined up to $41,484.

Canada: CASL

CASL, The Canadian Anti-Spam Legislation applies to commercial electronic messages in Canada. Commercial electronic messages are emails that encourage participation in a commercial activity. Here’s how it works:

Commercial electronic mail to Canadian individuals is covered by CASL.
The recipient of the email must give express consent, or implied consent to receive the commercial electronic message.
Express consent means the person has agreed to receive the message either in writing or orally. An opt-in option, like a website sign up, is considered express consent. An email requesting consent does not create express written consent.
Implied consent can be obtained when the person conspicuously publishes their email. That publication cannot be accompanied by a statement that the person doesn’t want to receive the unsolicited commercial electronic messages and the message must be relevant to the person’s business, role, functions or duties in a business or official capacity.
An existing business relationship is an exception, which can arise from a purchase or acceptance of a business, investment or gaming opportunity within the past two years. Organizations that don’t comply risk serious penalties, including criminal charges, civil charges, personal liability for company officers and directors, and penalties up to $10 million.

Australia: SPAM Act

The SPAM Act of 2003 prohibits the sending of unsolicited commercial electronic messages with an Australian link. Commercial electronic messages offer, advertise or promote the supply of goods, services, land or business or investment opportunities. A message has an Australian link if it originates or was commissioned in Australia or was sent to an address accessed in Australia.

The recipient of the message must provide express or inferred consent.
Examples of express consent include an opt-in box on a form or website, verbal confirmation over the phone or face-to-face or by swapping business cards. An electronic message requesting consent does not qualify.
Inferred consent can occur in an existing business or other relationship or by a person publicly publishing their work-related email address and that posting does not include stating that the person doesn’t want to receive commercial messages and the subject of the message must be directly related to the role or function of the recipient.
Every email must contain an unsubscribe option that must be honored within five working days.
The email must correctly identify the sender or the individual or organization that authorized the email send and it must include information about how the recipient can contact you.
Violations of the Spam Act have a maximum penalty of $2.1 million.

The GDPR, or the EU General Data Protection Regulation regulates how businesses use and protect the personal data of European Union citizens. Read our previous Compliance Corner post on the GDPR.

Compliance Corner: GDPR

Posted on February 23, 2018July 21, 2025 by epadmin

Commonly known as the GDPR, the EU General Data Protection Regulation requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.

GDPR aims to protect all EU citizens from privacy and data breaches in an increasingly data-driven world.

The GDPR applies to all organizations that collect the data of people who live in the EU, regardless of the organization’s physical location. That means the GDPR impacts organizations across the globe, and the penalties can reach up to 4 percent of the global revenue of the parent company or 20 million euros, whichever is higher. Enforcement begins on May 25, 2018.

The regulation requires privacy by design, which means that a data system needs to include data protection from the start, rather than as an addition. Organizations must only hold and process the data that is absolutely necessary, and limit access to that data to those who need to process it.

The GDPR also requires consent and provides the people whose data is collected with the right to confirmation as to whether or not their personal information is being processed, where it is being processed and for what purpose. If the person requests, the organization also needs to provide a copy of the personal data, free of charge, in an electronic format. The person has the right to give that data to another organization.

Additionally, the GDPR includes the right to be forgotten, also known as data erasure, which entitles the person whose data was collected to have the organization erase the data, cease any dissemination of the data and potentially halt a third party’s processing of that data.

The regulation requires organizations to notify the people whose data they collect within 72 hours of first becoming aware of a data break that is likely to “result in a risk for the rights and freedoms of individuals.”

Organizations that collect data previously had to notify local data protection advisors about their data processing activities. Under the GDPR, data collecting organizations will not be required to submit those notifications or registrations, but they will need to meet internal recordkeeping requirements, and some organizations will need to appoint data protection officers.