The protection of personal data is a fundamental right for the EU. Citizens share more and more personal data due to the rapid development of online banking, online shopping, social media (Publications office of EU, n.d.), tax return submission, teleworking, ERGANI (Greek recruitment-payroll e-system), E-EFKA (Greek e-Social Security Agency), E-AADE (Greek e-tax system), big data, cloud computing etc. The protection against data theft is therefore considered necessary.

For this reason, on May 25, 2018, the General Regulation came into force Data Protection-GDPR 2016/679 of the EU (Official Journal of the EU, 2016), which introduces increased obligations and restrictions for businesses that maintain, manage, and process personal data. Its aim is the facilitation of personal data in all EU member states. In Greece, with Law 4624/2019 (e-nomothesia, 2019), directives 2016/679 and 2016/680 regarding personal data were incorporated. European legislation on the protection of personal data includes Article F of the Treaty on European Union, Article 8 of the Charter of Fundamental Rights of the EU, Article 8 of the European Convention on Human Rights, Convention 108 of the Council of Europe and its update (Data Protection Authority, n.d.).

The new regulation empowers Data Protection Authorities in Europe to impose fines for serious personal data breaches of either up to 4% of their annual global turnover or €20 million, whichever is higher (GDPR.EU, n.d.).

GDPR fines increased from July 2020 to July 2021 by 113% and are still growing. Indicative examples of companies that received huge fines in July 2021 are Google with fines of €60 million and Η&Μ OnlineShop, from Germany, with €35 million (Konstantinos Karapappas, 2021)

The GDPR regulation provides citizens with rights such as to know who is processing the rights and for what reason, to have access to their data, to be able to correct it, to request its deletion under certain conditions, to request the restriction of the processing of their data under conditions, to request the transfer of their data to another controller provided that the public interest and right to non-automated decision-making and non-profile configuration (Data Protection Authority, n.d.).

Companies/organizations are responsible for data assurance and protection, processing security, data breach notification and impact assessment. Furthermore, it was foreseen in which cases the Data Protection Officer (DPO) is mandatory to exist. The development of a code of ethics and their approval by the Supervisory Authority is encouraged (TAXHEAVEN, 2017).

The activities that will be most affected by the regulation in question are health services, financial services, human resources services, online sales services, telecommunications services, energy services and the government sector (Privacy Advocate, n.d.).

The GDPR is about the challenges for HR leaders, as the volume of personal data they have it is huge and scattered. HR’s responsibility is to find the right balance between to protect the personal data of company employees (current and former) and protecting the business itself by setting the right policies for the period of data retention, HR must inform about personal data breaches without delay, as well as the actions it will take for it and receive security mees, such as data encryption etc.

It is necessary to update/train personnel for the content, rights, obligations, but also the consequences of breaching the GDPR. HR must have a voice on the organization GDPR project team, choose the right data protection officer, have employees consent to the processing of their data, identify lawful grounds for processing employee data, reviews and updates data, to communicate the new rules using a data privacy statement, to describe the data protection obligations to employer and employee, to inform existing data protection policies, create new troubleshooting procedures, check that the recruitment profiling and screening arrangements meet the new rules and to cooperate with all departments.

For full compliance with the GDPR, HR must train an inform the staff to understand the processes. Accountability and transparency must exist in these procedures. GDPR requires an organization-wide culture change to be effective. GDPR and its requirements must be fully integrated into the organization, everyone must accept responsibility for managing personal data at all levels.

Technology can help HR managers. A good software can help HR team upgrade the employee experience, improve HR agility, ease compliance management, provide employee case management, knowledgebase, process automation and employee file management, help with staff coordination etc. Files sent electronically to the tax and social authorities, emails, payroll programs and everything in the cloud must be encrypted. Programs and emails now have mechanisms to encrypt their data.

HR and DPO must draw up a GDPR regulation and communicate it within the organization.

HR department helps to develop a GDPR compliance system by doing the following:

Assessment of employee data, decision on who will have access and to which data, executive training, documenting policies and procedures by recording inputs and outputs in each process and with the help of IT systems, documenting and evaluating the legal framework, creating a personal data map, legal basis for processing and documentation, data privacy impact assessment, gap analysis which assesses the organization’s level of compliance with the requirements of the GDPR regulation, policy and control procedures, staff training, legal measures, IT measures and the implementation of procedures/policy measures, review and update all privacy and HR processes, prepare for the possibility of a data breach. Finally, the GDPR forcing HR departments to review all their procedures

Bibliography

• Αρχή Προστασίας Δεδομένων (χ.η.). ΤΑ ΔΙΚΑΙΏΜΑΤΑ ΜΟΥ ΣΤΟ ΠΛΑΙΣΙΟ ΤΟΥ ΓΚΠΔ. ΑΡΧΗ ΠΡΟΣΤΑΣΙΑΣ ΔΕΔΟΜΕΝΩΝ. Διαθέσιμο στο: https://www.dpa.gr/el/polites/gkpd (Πρόσβαση: 17/09/2022)
• Αρχή Προστασίας Δεδομένων (χ.η.). ΠΡΟΣΩΠΙΚΑ ΔΕΔΟΜΕΝΑ. ΑΡΧΗ ΠΡΟΣΤΑΣΙΑΣ ΔΕΔΟΜΕΝΩΝ. Διαθέσιμο στο:https://www.dpa.gr/el/enimerwtiko/nomothesia/proswpikon_dedomenon (Πρόσβαση: 17/09/2022)
• e-nomothesia (2019). Νόμος 4624/2019 – ΦΕΚ 137/A/29-8-2019 (ΚΩΔΙΚΟΠΟΙΗΣΗ). E-NOMOTHESIA.GR. Διαθέσιμο στο: https://www.e-nomothesia.gr/kat-dedomena-prosopikou-kharaktera/nomos-4624-2019-phek-137a-29-8-2019.html (Πρόσβαση: 17/09/2022)
• GDPR.EU. (n.d.). WHAT ARE THE GDPR FINES? GDPR.EU. Διαθέσιμο στο: https://gdpr.eu/fines/ (Πρόσβαση: 17/09/2022)
• Κωνσταντινος Καραπαππας (2021). GDPR: Αυξήθηκαν κατά 113% τα πρόστιμα – Google και H&M Hennes & Mauritz στις πρώτες θέσεις. Dnews. Διαθέσιμο στο:https://www.dikaiologitika.gr/eidhseis/kosmos/350785/gdpr-afksithikan-kata-113-ta-prostima-google-kai-h-m-hennes-mauritz-stis-protes-theseis (Πρόσβαση: 17/09/2022)
• Επίσημη Εφημερίδα της EΕ (2016). REGULATIONS. OFFICIAL JOURNAL OF THE EUROPEAN UNION. Διαθέσιμο στο: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679 (Πρόσβαση: 17/09/2022)
• Privacy Advocate (χ.η.). GDPR: Οι 10 ΠΙΟ ΣΥΧΝΕΣ ΕΡΩΤΗΣΕΙΣ. PRIVACY ADVOCATE. Διαθέσιμο στο: https://privacyadvocate.gr/gdpr-%CE%BF%CE%B9-10-%CF%80%CE%B9%CE%BF-%CF%83%CF%85%CF%87%CE%BD%CE%B5%CF%83-%CE%B5%CF%81%CF%89%CF%84%CE%B7%CF%83%CE%B5%CE%B9%CF%83/ (Πρόσβαση: 17/09/2022)
• Publications office of EU (χ.η.). EU DATA PROTECTION REFORM. PUBLICATION OFFICE OF EU. Διαθέσιμο στο: https://op.europa.eu/en/publication-detail/-/publication/69760de9-4ceb-11e8-be1d-01aa75ed71a1 (Πρόσβαση: 17/09/2022)
• TAXHEAVEN (2017). Τι είναι ο “GDPR” και ποιες οι υποχρεώσεις των επιχειρήσεων. TAXHEAVEN. Διαθέσιμο στο:https://www.taxheaven.gr/circulars/27607/arora-ti-einai-o-gdpr-kai-poies-oi-ypoxrewseis-twn-epixeirhsewn (Πρόσβαση: 17/09/2022)