In the USA, Friday, May 25 will be the start of the Memorial Day weekend. Traffic, BBQ’s, opening of swimming pools, remembrances, and other events will highlight the weekend.
Friday, May 25 will also be the day the European Union’s (EU) General Data Protection Regulation (GDPR) will go into effect. This will last longer than any Memorial Day weekend event.
The GDPR extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It imposes new privacy regulations to give EU citizens more control over their personal information. This includes personnel records for non-EU based corporations that employ EU citizens at EU facilities.
While in this era of data mining and online sites collecting your personal information without permission, a rule such as the GDPR looks good, it could spell trouble for HR and IT managers at U.S. corporations which have operations in the EU. (One should note, that the UK is also a signatory to the GDPR).
Corporations with operations in the EU are recommended to have a Data Protection Officer (DPO). If the corporation’s core activities require regular monitoring of data subjects or a large scale or, as in the case of Germany, the corporation has at least 10 people handling automated processing of personal data, then a DPO is required.
Criticisms of the GDPR include the added administrative burden of hiring a DPO, ambiguous language regarding the handling of employee data, and that the GDPR cannot work in blockchain systems, as pseudonymous ID codes in blockchain may count as personal data. Further, some criticize that the rule is static and needs to be dynamic to keep pace with technology.
What U.S. corporations with facilities in EU countries need to be aware of is that the GDPR imposes fines of 4% of gross revenue, compensatory damages and penalties to those entities which do not comply.
It will be interesting to see how the GDPR rolls out. Many U.S. corporations with facilities in the EU have already worked with their facilities in the EU to prepare for the GDPR. Those who haven’t are facing a quickly approaching deadline that has teeth.
Will such a directive come to the U.S.? That is difficult to say currently. But as privacy concerns in the U.S. continue to grow, it would not be outside of the realm of possibility for such a rule to find its way to the U.S.