NEW Professional Member Special>>> Save $20 and receive a SHRM tote bag
More companies are recognizing the importance of giving employees the time and space they need to navigate personal loss.
Save $20 on a New Professional Membership and receive a FREE Tote bag when you join SHRM today!
Learn to overcome challenges and meet your 2017 goals through competency-based HR education. Available in-person and virtually.
Expand your influence and learn how to become an effective leader. Join us in Phoenix, AZ | OCTOBER 2 - 4, 2017
The European Union is poised to adopt a new data privacy regulation that will affect global companies. Here’s how to prepare.
The European Union (EU) is on the verge of adopting a regulation that
will affect how companies protect employee and customer data in all 28
EU member nations.
The final version of the EU’s General Data Protection Regulation is
expected in 2015, and it will be followed by a two-year period to
comply. It will impose stiffer fines than current rules allow for
noncompliance and could result in changes to the U.S. Department of
Commerce’s Safe Harbor program,
which gives U.S. companies the option to comply with the current EU
privacy directive by registering and certifying and then recertifying
annually that they are in compliance with the directive’s principles.
The Federal Trade Commission (FTC) has come under criticism for lax
oversight of Safe Harbor.
There’s no reason for employers to wait for the new regulation or Safe
Harbor revisions. HR should act now—along with IT, legal and other
The EU’s new privacy regulation would replace the 1995 Data Protection
Directive, which provided a framework of principles that each EU nation
individually adopted into law. The draft regulation would impose one law
in all 28 nations.
“For HR managers, more uniformity is good news,” says W. Scott Blackmer, founding partner of InfoLawGroup LLP in Salt Lake City, who consults on employee privacy matters.
But uniformity also requires 28 nations to compromise—not an easy task.
Not surprisingly, the final version of the regulation has been delayed.
The EU Parliament adopted the current draft, comprising 91 articles
governing all aspects of data privacy, earlier in 2014 with the
expectation that a final version, which requires approval by other EU
organizations, would be issued by the end of 2014. The final regulation
is now expected late this year.
Not everyone expects the EU to reach a compromise. “They are far from
consensus on a number of points,” says Jens-Henrik Jeppesen, director
for European Affairs for the Center for Democracy & Technology,
an advocacy group. “Some countries have been arguing that it would be
better to have a new directive rather than a uniform regulation.”
Although the draft contains several controversial provisions (see
sidebar), one proposal in particular would benefit U.S. employers: a
single point of oversight, also known as a one-stop shop for compliance.
At present, each EU member country’s data protection agency (DPA)
enforces data privacy law within its borders. Thus, a company faces
oversight from the DPA in each nation in which it has employees or
The most popular approach in the current draft is to designate the DPA
of the nation where the company has its European headquarters.
Within the EU, opponents of the one-stop approach—especially Germany,
which has the toughest data privacy law—argue that each nation should
continue to handle its citizens’ complaints; they say having a single
point of oversight could result in more lax attitudes than a particular
According to Omer Tene, vice president of research and education for the International Association of Privacy Professionals
and managing director of Tene & Associates, which consults on
privacy with governments and businesses, one senior legal advisor to the
EU Parliament contends that the one-stop approach may even be
unconstitutional because it denies due process.
Storms for Safe Harbor
The fact that the EU draft regulation does not mention the U.S.
Department of Commerce’s Safe Harbor program, which governs the transfer
of employee and customer data between the U.S. and the EU, has drawn
sharp criticism from the American Chamber of Commerce office in the
European Union: “The regulation should expressly include the EU-U.S.
Safe Harbor program as an appropriate safeguard enabling data
transfers,” the Chamber said in a 2012 position statement.
But some say the chances that the program will remain intact are unlikely.
“Safe Harbor will have to change to survive,” says Eduardo Ustaran, a partner in the London office of Hogan Lovells International LLP,
a global law firm. “There were already serious concerns by politicians
and the private sector about the ability of Safe Harbor to do what it is
meant to do.”
Safe Harbor has been criticized for being too easy to disregard after
the initial certification and for not being enforced by the FTC. The EU
issued a report on the program’s shortcomings in late 2013.
Most concerns are related to supervision and enforcement.
For the first decade of Safe Harbor, there were almost no legal
proceedings or sanctions. “Safe Harbor has not gone down well in some
quarters in Europe,” Blackmer says. “It is sometimes referred to as ‘EU
privacy lite.’ ” For that reason, “whether the EU regulation goes
through or not, the EU has been pushing the U.S. to make changes.”
How to Prepare
While the EU final regulation and its impact on the Safe Harbor program
are not yet known, companies that already have good data privacy
practices in place will be better positioned to deal with new rules.
These practices include the following:
Know your data. Document what data you have, where it
resides and who has access to it, including third-party providers,
especially payroll processors. The proliferation of cloud-based
software-as-a-service for recruitment and other HR applications can make
this task more difficult.
“If you don’t know where your data is going, you can’t meet your EU,
HIPAA [Health Insurance Portability and Accountability Act] or any other
privacy obligation,” says Brent Hoard, manager for health information
privacy and security advisory at PricewaterhouseCoopers.
Have privacy governance in place. Written procedures
and policies should include plans on how to handle breaches. In a recent
survey of 567 U.S. executives, the Ponemon Institute found that 73
percent of their organizations had breach response plans, although 30
percent of respondents believed those plans were inadequate.
Designate a data protection officer. Select someone to
coordinate data privacy efforts across departments. “It needs to be
cross-disciplinary, and you need a senior person responsible for it,”
Bill Roberts is technology contributing editor for HR Magazine and is based in Silicon Valley.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
CA Resources at Your Fingertips
SHRM’s HR Vendor Directory contains over 3,200 companies