By now, most HR leaders within multi-national organizations, particularly those headquartered or operating in Europe, will be familiar with the looming compliance regulation known as the EU General Data Protection Regulation (GDPR). With 100% compliance required from day one and fines for non-compliance up to 4% of global revenue (maximum €20m), the GDPR is arguably the most critical change in data privacy regulation in 20 years. Failing to comply could severely impact an organization both financially and in terms of its brand reputation.

With just over a year to go until GDPR takes effect on May 25, 2018, organizations are working to ensure compliance sooner rather than later. HR outsourcing providers (who, as processors, are trusted with massive amounts of employee data), and their clients are seeking guidance and solutions to navigate and comply with this new legislation.

In overview, the objectives of GDPR are:

·       Primarily, to harmonize data privacy laws across the European Union member states

·       To drive responsibility and accountability to data collectors and provide regulators with the ability to impose stringent punitive sanctions for non-compliance

·       To increase the rights of individuals by requiring consent to be freely given, specific, informed and unambiguous; further, this consent can also be revoked.

Key aspects of the regulation are:

·       It applies to any company (regardless of that company’s location) processing personal data of ‘data subjects’ (customers, employees, etc.) residing within the European Union

·       Organizations must now employ a data protection officer to oversee compliance

·       HR outsourcing providers (also referred to as ‘data processors’) now have direct data protection accountability under the GDPR, whereas previously this was only contractually obligated between the provider and employer

·       It requires organizations to notify individuals within 72 hours of a data breach being discovered

·       Individuals have the right to portability of their data, and employers must transmit that in a standard machine readable format; additionally, individuals have the right to full erasure of data.

I recently spoke with leading HRO vendors headquartered in Europe to discuss the impact of GDPR on HR outsourcing. NGA HR, SD Worx, and Zalaris (to name a few) all consider GDPR to be a critical priority, and they are investing millions in readying their delivery models and clients to ensure compliance on day one.

While this new legislation has created significant cost and effort for organizations and service providers to become compliant, it has also created opportunity in the HR space.  For example, a recent study by the International Association of Privacy Professionals (IAPP) estimates ~75k new jobs are expected to be created as a result of GDPR, many of which will be newly-appointed compliance officers and newly-established compliance organizations to own GDPR governance.

Providers headquartered in the region see longer-term opportunities that will likely pay off in the form of an overall enhancement to more secure, standardized, risk-averse processing of HR data and transactions, improved client/provider relationships, and potential new clients wins.

First, GDPR has created the need for providers to validate existing end-to-end processes throughout the delivery model, to identify opportunities that support robust security, and reduce manual processes by driving up standardization and digitization. For example, data privacy concerns are an inherent driver for more self-service usage by employees, allowing them to own their data, preventing unnecessary handling of their private information by others. This will drive efficiency and accuracy, reducing the risks associated with manual processes, and ultimately reduce transactional costs to the vendor and clients.

Additionally, the new legislation will indirectly force client and provider to work closer together. Providers and their customers will need to share responsibility for the secure management of HR data, driving them to work very closely together to achieve and maintain compliance up and down the HR operating model.

While it is too soon to gauge or predict market growth directly attributed to GDPR, the legislation is yet another driver for customers to make a move toward more robust, secure systems and leverage outsourcing as a catalyst for change, by wrapping compliant, leading practices around those new systems.

While most organizations will act proactively to head off this critical HR compliance risk, there will most certainly be those who will be left scrambling to catch up, thereby creating opportunities for HR outsourcing providers. It will be interesting to see how GDPR impacts the HR services market over the next year and beyond May 2018.