EU's GDPR and Its Implications for Global Businesses Hiring Across Borders
The General Data Protection Regulation (GDPR), the EU's new framework document regulating personal data protection, is set to take effect on May 25, 2018. This regulation, designed to update the current data protection regulation to address the rapidly expanding digital economy, replaces and repeals the current framework document, the Data Protection Directive.
All EU member states have manifested the adoption and implementation of the GDPR, applying it directly since its effective date. The GDPR is a regulation that applies uniformly across all EU member states without the need for national transposition.
One of the key changes introduced by the GDPR is the mandatory notification to the Data Protection Authority (DPA) of a security breach. Post-notification investigations by DPAs are likely to examine the reporting entity's overall compliance with the GDPR, not just the breach itself.
The GDPR also substantially increases the administrative fines that data protection authorities are authorized to impose. The maximum penalty for most violations is the greater of 4 percent of worldwide gross annual revenue for the corporate group, or €20 million.
The GDPR establishes a cross-border data transfer scheme, generally prohibiting transfers of personal data outside the EU unless the recipient country ensures an adequate level of protection for the personal data. Data protection authorities are empowered to bar data transfers from the EU to the U.S. parent corporation, and the U.S.-EU Privacy Shield, a possible mechanism for transferring personal data of EU employees to the U.S. parent corporation, may not be a reliable data transfer mechanism for the foreseeable future due to ongoing review and potential litigation.
To comply with the GDPR, EU employers must develop a written information security program and a security incident response plan. They must also vet vendors and enter compliant vendor agreements to ensure they can adequately safeguard personal data and support the employer's obligation to fulfill requests by data subjects.
U.S. multinational employers should consider extending the policies and procedures designed to comply with the GDPR to the personal data of employees located in countries outside the EU that have adopted broad data protection laws. They should also watch for guidance from EU regulators and changes in local labor laws in response to the GDPR.
Philip Gordon, Co-Chair of the Privacy and Background Checks Practice Group at Littler Mendelson, handles a wide range of employment issues with a focus on those related to workplace privacy and information security.
The GDPR recognizes standard contractual clauses approved by the European Commission and "binding corporate rules" as acceptable data transfer mechanisms. It also establishes the new right of data portability and right to be forgotten. EU employers must establish procedures for employees to exercise their rights, such as the right to access, correct, object to, and request erasure of their personal data.
U.S. multinational employers should be aware of the two-year grace period and monitor developments closely to ensure compliance with the GDPR when it goes into effect. This new regulation marks a significant shift in data protection laws and requires careful consideration and preparation from both EU and U.S. companies.
