Why US Employers Can’t Ignore EU’s General Data Protection Regulation

It’s just two weeks until the European’s Union’s (EU’s) much-discussed General Data Protection Regulation (GDPR) takes effect.

The GDPR marks the most significant change to European data security protections in more than 20 years, and will be the first time data breach notifications are mandatory for employers in all 28 EU states. But why does this matter for US employers?

For starters, we increasingly live in a world without borders. “Anyone who markets products over the web will have reason for concern and will have to look at their website privacy policy,” says Littler Mendelson employment attorney Philip Gordon, who co-chairs the firm’s Privacy and Background Checks Practice Group.

On my XpertHR podcast, Gordon discusses the GDPR’s many implications for US-based companies. He says the following employers could be affected:

  • Any US company with employees in the EU will need to address the GDPR (even a small business with a sales representative in Europe);
  • Any US company that offers products or services to EU residents is covered by this new privacy regulation; and
  • Covered employers must provide notice to their local supervisory authority within 72 hours of first becoming aware a data breach.

“We’re past the days where only Fortune 500 companies are multinational,” Gordon explains. “With the ease of communication, even small businesses today can be multinational companies with sales reps in Europe.”

He adds that the GDPR’s long-arm provision will capture any US business that targets consumers in the EU. These businesses will also bear responsibility for any of their third-party vendors’ actions on their behalf.

Another big issue with the GDPR involves consent, which EU regulators view very narrowly because of the hierarchical nature of the employment relationship. Gordon says employee consent under the GDPR must be unambiguous because of concern that employees may feel compelled to share personal data in order to keep their jobs. This means US employers cannot evade the data protection regulation by having employees sign opt-out agreements.

The overall idea behind the GDPR, Gordon notes, is both to give Europeans more control over their personal data and for employers to integrate data protection into their standard operating procedures. The GDPR defines personal data to be any information from which a person could be identified.

That definition and the GDPR’s impending May 25 effective date is creating consternation on both sides of the Atlantic. That’s because under the GDPR’s penalty provision, regulators can impose penalties on companies of up to $25 million or 4% of annual global sales, whichever is larger.

According to Gordon, the number one question people are asking is, “What happens if I don’t get everything done by May 25th?”

Forunately, he says that regulators are starting to recognize that compliance will take time. As a result, Gordon predicts that so long as companies can show good-faith efforts to begin the process to get everything completed as soon as possible, they are likely to avoid stiff monetary penalties in the early going.

“Don’t panic if you haven’t gotten started,” advises Gordon. “This is very doable. Create a team and break down what needs to get done into smaller pieces and take your obligations seriously,” says Gordon. “If you do that, your organization will be fine.”

Our XpertHR podcast features more insights from Littler Mendelson’s Philip Gordon on what US employers need to know about the GDPR.








, ,