- Advertisement -

On April 16, 2016, the EU adopted the General Data Protection Regulation (GDPR), which largely rewrites and harmonizes the European legal framework of data protection. The new regulation will become applicable in May 2018 but given the scope and complexity of the GDPR it is important to prepare for this legal change well in advance.

Global Scope

With the GDPR, there will be a substantial expansion of the territorial scope of the EU data protection obligations, which may impact U.S. companies and employers who were previously not affected by EU data protection rules. In determining its geographical reach, the GDPR considers not only the location of the processing, but also the location of the individual whose data is being processed. In this context, if your group of companies has one EU-based employee, the GDPR could be applicable to your organization. Note that the GDPR would also be triggered by processing personal data of EU-based customers.

- advertisement -

Processing Information

If your group of companies has one EU-based employee, and it processes (i.e., collects, uses, transfers or electronically stores) personal data of this employee the GDPR may apply. “Personal data” includes information that is typically considered personal such as an employee’s name, address, income details and medical condition, but also includes not always considered personal such as an employee’s computer or device IP address device identifiers, or other “unique identifiers.” Even if you as an employer offer certain services that give you access to such personal data, such as an IT helpdesk, server access, etc., the GDPR could apply to you.

What Do I Need to Do?

First, you should determine whether your group of companies has EU-based employees or is otherwise processing information related to EU-based employees.

If you have EU-based employees and are processing such information, you should conduct an internal GDPR review to determine which department or which companies (e.g. IT help desk, HR, accounting, etc.) are in scope for GDPR compliance obligations, evaluate current compliance and gaps to be resolved by May 2018, and set up the necessary structure for compliance with the GDPR. The level of data protection in the EU is considered (by the EU) to be higher than in the U.S. and U.S. companies should be prepared for the disclosures, specific guarantees, and obligations under the GDPR. Depending on the circumstances, the GDPR will even require U.S.-based companies with access to personal information to designate a representative based in an EU country to act as the point of contact for the relevant data protection authorities. Given the technical and detailed requirements companies may benefit from the use of targeted guidance.

Sanctions

The global reach of the GDPR calls into question the enforceability on U.S.-based employers. Violating the GDPR can result in penalties of up to 20 million euros ($22.38 million) or 4 percent of the annual worldwide turnover of the company (i.e., annual worldwide gross income), whichever is higher.

Bottom line

The GDPR will not apply until May 25, 2018, but the time for action is now. All HR departments and/or employers should carry out a data review and assess whether the GDPR is applicable and what impact it has on its activities in order to implement the necessary changes in time.

Source: shrm.org

Previous articleAny Room for Arbitration in Nigeria?
Next article70% of Nurses Feel Burnt Out in Their Current Job
ADR Daily is a specialized news portal with a focus on providing authentic news, information and research analysis on Appropriate Dispute Resolution (ADR), Human Resource Management (HRM) and Industrial Relations Management (IRM) in Ghana and beyond. This platform serves as an information resource base for the progress of the ADR, HRM and IRM industries, and seeks to promote professionalism in ADR practice by supporting a network of ADR professionals within and across nations and continents. ADR Daily keenly encourages the mass adoption of ADR mechanisms, particularly negotiation, mediation and arbitration for the resolution of disputes in all spheres, through the publication of industry news and information, as well as by deploying innovative awareness creation engagements.