What global employers need to know about new EU privacy protections
Failure to protect the PII or Personal Data to the right standard could bring a hefty bill, or upon consistent failure, even an order to cease business in EU countries.
As of May 25, 2018, U.S.-based businesses that have operations in the European Union (EU) or that employ citizens of EU nations will have new requirements to meet regarding data protection. This is when the new General Data Protection Regulation (GDPR) takes effect.
Any companies not prepared to meet the new regulations that experience a data breach could face massive fines. Agents selling group plans, benefit or retirement packages to companies with EU employees that will subsequently store personal information on those employees could also be affected.
GDPR was designed to better protect EU citizen data and ensure companies storing that data should possess it. Standards vary based on where the data originates from, but generally any information like name, address, credit card number, etc., is covered. In the domestic U.S., protected data is defined as Personally Identifying Information (PII). And, as defined by GDPR, for an EU citizen it is known as Personal Data. Failure to protect the PII or Personal Data to the right standard could bring a hefty bill, or upon consistent failure, even an order to cease business in EU countries.
Current U.S.-based data privacy regulations require companies to notify customers if a data breach occurs, but in the U.S., there can be a significant time delay between the breach and the notification letter; not so with GDPR. GDPR requires the Supervisory Authorities be notified within 72 hours, even while a breach is still being investigated. Failure to report within 72 hours could lead to significant fines. Maximum fines could be up to $26M or 4 percent of global gross revenue, whichever is greater.
Insurance companies selling plans to U.S.-based businesses with EU citizen employees or operations in EU nations could be affected because they gather Personal Data from EU subjects.
For example, a U.S. technology company has an office in San Francisco and another office in London. Some EU citizens work in both locations for that company and they are all offered the company group insurance coverage and benefits package. The company collects information on its employees such as name, birth date, social security number, and other data points required to for those individuals to apply for insurance coverage and passes it along to the firm. Under GDPR, if the company or the insurance agency does not properly encrypt this information and a hacker is able to steal an EU citizen’s Personal Data, a violation of the regulations has occurred.
The first step toward compliance for any company is determining the need for and if necessary, assigning a Data Protection Officer (DPO). A company will be required to have a DPO if it possesses large amounts of data covered by GDPR. The DPO must be available and involved in any events where there is a possibility of a loss of GDPR covered data. The DPO will be the point person for any GDPR issue with the affected persons and the Supervisory Authority.
Obviously, because the DPO will be instrumental in proving a company’s compliance with GDPR this individual needs to know the regulations and the company’s security protocols inside and out, backward and forward. If a company is not required to have a DPO, it should still have a plan in place for who it will call if the Supervisory Authority opens an investigation.
Additionally, any Personal Data that is lawfully received, stored or processed by a company needs to be encrypted. This means completely encrypted at rest and in transit, complete end to end encryption. GDPR does not allow for leniency regarding outdated software or new implementations that are being investigated for deployment.
Companies will also now be required to complete Data Protection Assessments and Privacy Impact Assessments. They will be expected to increase visibility into what level of impact a breach might have for customers and the company, if one occurs. And, all efforts made to comply with GDPR need to be documented so they can be given to a Supervisory Authority upon request.
The best source of information on the regulation requirements is gdpr-info.eu.
Once GDPR takes effect, if a company experiences a breach or is contacted by a GDPR Supervisory Authority the best course of action is to show an attitude of compliance by offering complete support for the investigation. Then, contact the legal team. It is important to remember that complying with GDPR can be complex. It takes some time to update systems and processes to the level of security required by the new regulations. It can also be costly, and disruptive, but the protection of data is becoming paramount in the new business paradigm. For GDPR the cost of compliance is geared to be less than the cost of sanctions.