Get access to the exclusive HR Resources you need to succeed in 2018!
SHRM board member David Windley discusses how unconscious bias can derail workplace diversity efforts.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 12 cities across the U.S. this spring.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
On April 16, 2016, the EU adopted the General Data Protection Regulation (GDPR), which largely rewrites and harmonizes the European legal framework of data protection. The new regulation will become applicable in May 2018 but given the scope and complexity of the GDPR it is important to prepare for this legal change well in advance.
With the GDPR, there will be a substantial expansion of the territorial scope of the EU data protection obligations, which may impact U.S. companies and employers who were previously not affected by EU data protection rules. In determining its geographical reach, the GDPR considers not only the location of the processing, but also the location of the individual whose data is being processed. In this context, if your group of companies has one EU-based employee, the GDPR could be applicable to your organization. Note that the GDPR would also be triggered by processing personal data of EU-based customers.
If your group of companies has one EU-based employee, and it processes (i.e., collects, uses, transfers or electronically stores) personal data of this employee the GDPR may apply. "Personal data" includes information that is typically considered personal such as an employee's name, address, income details and medical condition, but also includes not always considered personal such as an employee's computer or device IP address device identifiers, or other "unique identifiers." Even if you as an employer offer certain services that give you access to such personal data, such as an IT helpdesk, server access, etc., the GDPR could apply to you.
What Do I Need to Do?
First, you should determine whether your group of companies has EU-based employees or is otherwise processing information related to EU-based employees.
If you have EU-based employees and are processing such information, you should conduct an internal GDPR review to determine which department or which companies (e.g. IT help desk, HR, accounting, etc.) are in scope for GDPR compliance obligations, evaluate current compliance and gaps to be resolved by May 2018, and set up the necessary structure for compliance with the GDPR. The level of data protection in the EU is considered (by the EU) to be higher than in the U.S. and U.S. companies should be prepared for the disclosures, specific guarantees, and obligations under the GDPR. Depending on the circumstances, the GDPR will even require U.S.-based companies with access to personal information to designate a representative based in an EU country to act as the point of contact for the relevant data protection authorities. Given the technical and detailed requirements companies may benefit from the use of targeted guidance.
The global reach of the GDPR calls into question the enforceability on U.S.-based employers. Violating the GDPR can result in penalties of up to 20 million euros ($22.38 million) or 4 percent of the annual worldwide turnover of the company (i.e., annual worldwide gross income), whichever is higher.
The GDPR will not apply until May 25, 2018, but the time for action is now. All HR departments and/or employers should carry out a data review and assess whether the GDPR is applicable and what impact it has on its activities in order to implement the necessary changes in time.
Bert Theeuwes and Saskia Lemeire are attorneys with Kelley Drye in Brussels. Dana B. Rosenfeld and Christopher M. Loeffler are attorneys with Kelley Drye in Washington, D.C. © 2017 Kelley Drye. All rights reserved. Reposted with permission of Lexology.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Choose from dozens of free webcasts on the most timely HR topics.
SHRM’s HR Vendor Directory contains over 3,200 companies