Organizations planning to expand their international business activities have much to consider. While the global market presents exciting opportunities for growth, the European Union’s General Data Protection Regulation, or GDPR, will require close attention to a multitude of compliance issues.
The rising global tide of data protection regulations will first crash on American shores this year in the form of GDPR, which will implement on May 25, 2018. The GDPR affects any entity doing business in the EU, with similar provisions in place in Switzerland and the European Economic Area (EEA) countries of Norway, Iceland, and Liechtenstein. The United Kingdom has expressed its intention to adhere to a similar scheme following its eventual departure from the EU, but there may be revisions in that transition as well.
GDPR requires entities who come into contact with personal data belonging to natural persons (which some countries have expanded to include corporate entities) to implement specific technological and procedural safeguards with respect to that data. In line with GDPR’s emphasis on transparency, covered entities must create mechanisms to allow data subjects to correct, revise, delete, or transfer their data held in their systems. Since the GDPR applies to data flows rather than to international lines, it has a truly extraterritorial reach: if your company encounters personal data belonging to EU citizens, compliance is required.
U.S. multinationals must consider the impact of GDPR on their international activities with respect to customers and vendors, but also as it applies to their global workforces. GDPR places increased obligations on employers and service providers while enhancing employees’ privacy rights. In some cases, individual Member States are permitted to refine the GDPR framework at the local level, requiring not just EU-wide compliance but nation-by-nation vigilance. Further, GDPR defines several types of information routinely collected for human resources purposes as “special categories of data” and requires extra protections for those data.
Whether your organization has been operating within the EU for some time, or is new to the market, GDPR compliance will likely require revisions to internal processes and procedures, technological improvements, and review of contractual relationships with vendors who come into contact with personal data.
To top it off, GDPR carries potentially devastating penalties. Non-compliance related to a technical error such as improper risk assessment or certifications can cost a company up to the greater of €10 million or 2% of global annual revenue. Failure to comply with fundamental principles of the regulation relating to data subject rights or processing personal data can reach the greater of €20 million or 4% of global annual revenue. With consequences so steep, non-compliance is not an option. Globalization Partners’ has a full-time, in-house legal team addressing GDPR compliance head-on as part of our Global Professional Employer Organization (PEO) Platform. If clients use our system and operate within it, they are secure.