Upon learning about new data privacy rules in the European Union, some U.S.-based business leaders deny that the strict laws will apply to them. If a company employs even a single EU citizen, they must comply with the new law on data privacy, no matter their location. Denial is only the first stage in the journey to compliance, or they can face a fine of up to €20 million, said Adrienne Ehrhardt, partner and practice group chair of the privacy and data security group at Michael Best & Friedrich LLP, a national law firm based in Milwaukee.
By May 25, 2018, companies employing European citizens will have to comply to the General Data Protection Regulation, or GDPR, a law that requires:
- Consent: Companies must request consent for data collection, present it in easily understandable wording and provide employees the ability to revoke consent.
- Breach Notification: Upon a likely breach, companies must notify those impacted within 72 hours of awareness of the breach.
- Right to Access: Those having data collected can receive confirmation of if their data is processed, where it is being processed and for what purpose. The controller of the data will also provide a copy of the data in electronic format and for free.
- Right to be Forgotten: The subject of the data can have their data erased, not processed and deny access to additional data collection.
- Data Portability: The subject of the data can receive their personal data and transfer it to another controller.
- Privacy by Design: Data protection must be present from the beginning of the design of a data collection system.
- Data Protection Officers: There are record keeping requirements, including appointment of a DPO for companies with the core activity of processing data.
The EU’s Data Protection Directive of 1995 intended to protect individuals’ data and how it’s processed, while leaving the specific rules and implementation up to individual member states. The GDPR will replace it in order to “harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy,” the EU GDPR website says. Failure to comply with this law will result in a fine of “up to 4 percent of annual global turnover for breaching GDPR or €20 million,” the website says. This applies to both the controllers and processors of individuals’ data, meaning the companies using a software and the software provider.
Monetary penalties aren’t the only repercussions; there’s a reputational cost, too, Ehrhardt said. “Even if your noncompliance is relatively minor, any negative press about a perceived lack of respect for privacy, I think, has potential to be costly.” Because the public is increasingly sensitive about data breaches, there is a heightened awareness. “You don’t want to be the poster child for poor privacy or security practices.”
Headaches and Hurdles
Naturally, GDPR compliance is creating headaches for companies that gather data.
U.S. companies tend to be aware of laws protecting health and financial data, but the GDPR’s definition of personal data is very broad, as is its reach, Ehrhardt said. The GDPR website defines personal data as anything related to a person “that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
“This really cuts across all industries,” Ehrhardt said.
This broad reach is especially true for areas such as talent management and recruiting, said Rick Devine, CEO of TalentSky Inc., a career experience network platform based in San Francisco. When an applicant submits their résumé, or an employee uses a management system for performance feedback or development, this rule of data privacy applies. Permission to use that data must be revocable by the employee, resulting in deletion of all data not necessary for employment and governmental recordkeeping, such as payroll information.
That ability to revoke consent is similar to the arrangements currently built into social media platforms through the “follow” and “unfollow” options, Devine said. Talent management systems, however, were not built with this in mind or with the ability to easily delete the necessary information. “Systems were not designed to really help a company make that easy.”
Thus, Devine suggests that HR technology companies think about application design that allows employees to have ownership of their data. “It’s better for people, and it’s what we should think about as members of the human race, with regard to computing,” he said.
This can help companies, too, he said. For companies that use this data for performance management, Devine said the individual empowerment that comes from this new arrangement could drive greater participation and data collection.
For companies not employing EU citizens, they could feel this rule no longer applies to them. However, with the tight labor market in the U.S. and the global nature of modern business, it would be wise not to limit a valuable applicant pool. Similarly, “The culture of privacy will shift closer to what the Europeans are doing, just because of how small the world is becoming and all the cross-border transfers and adequacy designations,” Ehrhardt said.
Compliance with GDPR will be easier and less time consuming if done so ahead of time, she said. It’s like building a new house versus fixing up an old one and bringing it to code, she said.
And if a company employs even one EU citizen, they must comply, raising the question of whether to have the whole business impacted by GDPR, said Cécile Georges, chief privacy officer at ADP, an HR consulting company based in Roseland, New Jersey.
“Is it better to segregate that and implement a separate compliance program just for that part of the business, or do I take this opportunity to raise the bar in my organization and apply the same type of level of protection to the entire business?” Georges said. ADP chose to apply the same standard to all of its workers through internal policies, she said, adding that it wouldn’t make sense to apply principles to some associates and not all.
When aiming to comply with GDPR, Georges lists five steps:
- Assess to what extent the law applies to the company.
- Look at what the company currently does to comply with regulations around data processing.
- Assess the gap in new requirements versus old ones.
- Set up an action plan to bridge identified gaps in compliance.
- On an ongoing basis, document anything that demonstrates compliance.
Lauren Dixon is an associate editor at Talent Economy. To comment, email firstname.lastname@example.org.