No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

The EU’s GDPR and its Impact on Multinational Employers

by Corporate Compliance Insights
June 13, 2016
in Featured, Leadership and Career
The EU’s GDPR and its Impact on Multinational Employers

Four years in the making, the European Union’s (EU) General Data Protection Regulation (GDPR) represents the most dramatic change in EU data protection law since the current framework document, the Data Protection Directive, was adopted in 1995.  Once in effect, the GDPR will regulate the processing (e.g., collection, use, disclosure, transfer, storage and destruction) of personal data collected from, or about, every EU-based employee of a U.S. multinational for purposes of human resources administration.

This Q&A, between Corporate Compliance Insights’ Founder and CEO, Maurice Gilbert, and Philip Gordon, Co-Chair of the Privacy and Background Checks Practice Group at Littler Mendelson, provides U.S. multinational employers with some general background on the GDPR and its importance to global compliance efforts, identifies key compliance requirements and suggests practical steps to fulfill those requirements.

Maurice Gilbert: What exactly is the GDPR?

Phil Gordon: The GDPR is the EU’s new framework document regulating data protection.  The GDPR repeals and replaces the current framework document, the Data Protection Directive.  Because the GDPR is a “regulation,” under EU law, it applies uniformly in all 28 EU Member States without the enactment of any national implementing legislation.  As a result, the GDPR is expected to eliminate country-specific differences in data protection requirements that increase compliance burdens.

The GDPR is also designed to update the current data protection regulation to address the rapidly expanding digital economy by, for example, establishing the new right of data portability and right to be forgotten.

MG: Why is compliance with the GDPR important for U.S. multinational employers?

PG: Most fundamentally, the GDPR substantially increases the administrative fines that data protection authorities (DPAs) are authorized to impose.  The maximum penalty for most violations is the greater of 4 percent of worldwide gross annual revenue for the corporate group, or €20 million — even if the entity responsible for the violation is a subsidiary with only a few employees.  The DPAs are also empowered to bar data transfers from the EU to the U.S. parent corporation.

While the risk of these draconian sanctions for a U.S. multinational with a relatively small EU presence is low, the risk of an enforcement action under the GDPR will increase for at least two reasons:  First, the media attention surrounding the GDPR (as well as the Snowden leaks and the European Court of Justice’s invalidation of the U.S.-EU Safe Harbor Framework in October 2015) has heightened EU employees’ concerns about the collection, use and disclosure of their personal data locally and the transfer of their personal data to the U.S. parent corporation.  Second, the GDPR introduces mandatory notification to the DPA of a security breach.  Post-notification investigations by DPAs likely will examine the reporting entity’s overall compliance with the GDPR, not just the breach itself.

MG: What is the deadline for compliance with the GDPR?

PG: The compliance deadline is May 25, 2018.

MG: What are the GDPR’s key compliance requirements for the processing of employees’ personal data?

PG: The key compliance requirements include the following:

  1. Identify permissible purpose(s) for data processing: Under the GDPR, an employer (the local subsidiary or branch office) is prohibited from processing employees’ personal data unless the employer has a permissible purpose for doing so as defined by the GDPR.  While consent often is invoked in other contexts, the DPAs take the position that employees generally cannot validly consent to their employers’ processing of their personal data because of the hierarchical nature of the employment relationship.  Consequently, EU employers will be required to rely on other grounds, such as (a) the processing is required by local labor laws, (b) the processing is necessary for the performance of the employment contract or (c) the processing is necessary for the legitimate interests of the employer.  These grounds likely will be narrowly construed.
  1. Provide employees with a data processing notice: EU employers are required to provide a notice of data processing to employees when the employer first collects personal data from them.  The GDPR lists 10 required elements for these notices, including, for example, (a) the personal data to be collected, how it will be used and to whom it will be disclosed; (b) whether the personal data will be transferred outside the EU, to whom and why; and (c) how employees can exercise their individual rights under EU law.
  1. Establish procedures for employees to exercise their rights: The GDPR confers on all data subjects, such as employees, the right to access their personal data, to correct personal data that is inaccurate or incomplete, to object to the processing of their personal data and to request the erasure of their personal data (the “right to be forgotten”).  The GDPR prescribes specific procedures to implement these rights. The EU employer must comply with those procedures regardless of whether the personal data falling within the scope of any employee’s request resides in the EU, the U.S. or elsewhere.
  1. Develop a written information security program and a security incident response plan: The GDPR requires that EU employers implement administrative and technical safeguards as appropriate to mitigate the risks to personal data, but it does not prescribe specific safeguards that must be implemented.  Nonetheless, the U.S. parent corporation should confirm that its EU subsidiaries are establishing and implementing a written information security program to reduce the likelihood of a security breach.Under the GDPR, a data controller (i.e., the employer with respect to employee data) is required to report a breach to the relevant DPA within 72 hours of discovery.  The data controller also may be required to notify affected individuals by order of the DPA or if the breach is “likely to result in a high risk” of harm to affected employees.  Although the GDPR does not expressly require a security incident response plan, having one in place will help the local subsidiary respond more effectively to a security breach.
  1. Vet vendors and enter compliant vendor agreements: Under the GDPR, the data controller is required to vet vendors to confirm that they can (a) adequately safeguard personal data and (b) support the data controller’s obligation to fulfill requests by data subjects to exercise their individual rights.  In addition, the GDPR requires the data controller to enter into a service agreement that includes a long list of provisions bearing on data protection.  Either the local employer or the U.S. parent corporation on its behalf will be required to fulfill these requirements when they engage a vendor to process EU employees’ personal data.

MG: How does the GDPR affect transfers of EU employees’ personal data to the U.S. parent corporation?

PG: The GDPR establishes a cross-border data transfer scheme substantially similar to that under the Data Protection Directive.  In particular, the GDPR generally prohibits transfers of personal data outside the EU unless the recipient country “ensures an adequate level of protection” for the personal data.  If the European Commission has not issued an “adequacy determination” for a third country, the data exporter (i.e., the EU employer) must implement an approved data transfer mechanism unless an exception to the general prohibition applies.  The GDPR recognizes standard contractual clauses approved by the European Commission and “binding corporate rules” (a set of legally enforceable rules for personal data transfers within the corporate group) as acceptable data transfer mechanisms.

Another possible mechanism for transferring personal data of EU employees to the U.S. parent corporation may be the U.S.-EU Privacy Shield, which was negotiated to replace the now-invalidated Safe Harbor Framework.  However, the Privacy Shield will not be the subject of an adequacy determination by the European Commission until after EU data protection regulators complete their ongoing review.  In addition, this adequacy determination likely will be subject to litigation in the European Court of Justice.  Consequently, the Privacy Shield may not be a reliable data transfer mechanism for the foreseeable future.

MG: What else should U.S. multinational employers be doing during the two-year grace period?

PG: U.S. multinational employers should watch for guidance from EU regulators who have announced their commitment to issue supplemental guidance before the GDPR goes into effect.  U.S. multinational employers should also watch for changes in labor laws in response to the GDPR in the EU Member States where they have employees.  The GDPR’s harmonization does not override local labor laws.  Finally, U.S. multinational employers should consider to what extent and how they will extend the policies and procedures designed to comply with the GDPR to the personal data of employees located in countries outside the EU that have adopted broad data protection laws, often based on the EU model.

 

Phil GordonPhilip Gordon is the Co-Chair of the Privacy and Background Checks Practice Group at Littler Mendelson, where he handles a wide range of employment issues with a focus on those related to workplace privacy and information security.


Tags: Communications Management
Previous Post

Internal Investigations on the Rise in Latin America

Next Post

ERM and Business Continuity Management: Together at Last

Corporate Compliance Insights

Corporate Compliance Insights

Corporate Compliance Insights

Related Posts

stack of newspapers on laptop

The Social Construction of a Scandal

by Michael Toebe
December 9, 2019

Do corporate execs and legal counsel truly understand the role news media plays in establishing the narrative about fault and...

woman holding smartphone with many "like" and "heart" reactions

Engaging Social Media is More Effective Risk Management

by Michael Toebe
October 25, 2019

Social media communication is a rarely implemented risk management tool, but it should get more play. Michael Toebe makes the...

black and white illustration of shark jumping out of water

The Shark in the Wave: Revealing the Lurking Danger of Slack Data

by James Murphy
June 17, 2019

Hanzo’s Jim Murphy explores the danger of Slack data; voluminous, informal, unstructured and context-dependent, it’s a threat hiding in plain...

hand holding whatsapp icon on pink background

The FCPA Compliance Challenges in Using WhatsApp and How Companies Can Address Them

by Matteson Ellis
May 13, 2019

Matteson Ellis describes what a compliance policy for ephemeral communications should look like – a concern for Latin American countries...

Next Post
Erm and BCM together at last from PWC

ERM and Business Continuity Management: Together at Last

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT