OK, this one is kind of a (really) big deal!  If you're asking yourself, "what the heck is the GDPR?" then we are here to catch you up. If you're saying, "heard of it, but not sure what to do," you're not alone.

What is the GDPR?

The EU GDPR (General Data Protection Regulation) is a law (as of 25 May 2018) designed to drastically enhance data protection for EU residents and provide a consolidated framework to guide business usage of personal data across the EU, replacing the patchwork of existing regulations and frameworks. The 200-plus page GDPR replaces the 20-year-old EU Data Protection Directive (95/46/EC). There are some additional things that came before it that have set the stage like the U.S.-EU Safe Harbor and EU-U.S. Privacy Shield,but the GDPR is much larger in scale and very severe in terms of financial consequence.

There is a level of depth and breadth that makes it feel a bit overwhelming. Additionally, the GDPR comes with significant penalties for non-compliance - fines up to 20,000,000 EUR or 4% of total worldwide annual turnover of the preceding year (whichever is higher), and fines can be imposed for breaching the data protection principles but also for failing to have the correct administrative procedures in place - i.e. failing to report a breach, which can attract an additional fine of up to €10 million or 2 per cent global turnover, whichever is greater.

In the case of Equifax, the article below mentions that, "Given the resources available to an organisation the size of Equifax, I doubt the ICO would hold back in issuing a significant fine here. Up to 4% of its $3.1 billion turnover amounts to $124 billion or €106 million."

In the case of Deloitte, which took nearly a year to discover and disclose the breach, the "~~ lack of appropriate security measures could lead to a maximum fine of $1.56 billion but in addition there could also be a fine in relation to failing to report the breach of up $78 million."

If you are looking for a good resource to get a deeper understanding, try "TRUSTe's Essential Guide to the GDPR." To reference some important points from this guide:

  • The GDPR protects the personal data of individuals (PII), which includes anyone physically residing in the EU, even if they are not EU citizens.
  • By defining the scope of the GDPR to include monitoring the behavior of individuals, the applicability is broad. Practically every website and app tracks digital activities of its visitors in some fashion.
  • The GDPR now extends due diligence obligations and potential liability to data processors, not just data controllers.
  • The GDPR defines personal data fairly broadly. For example, business contact information, such as an individual’s work email address, is typically covered by the GDPR.

The GDPR also does not just apply to EU- based companies—it will impact companies across the world. It applies to any company that has any level of PII on someone (an employee), and all suppliers and sub-suppliers down the chain.

In a Worldwide Employee Relocation Council webinar, the question was asked, "Where are you relative to preparedness for GDPR?" and there were two answers:

  1. About 40% are working on a preliminary plan (a few have not even started a plan)
  2. About 60% have a plan but most have not started implementation

So, while no one seems to have this completely dialed in, many companies are in the process of assessing risk and creating awareness (like data mapping, performing risk assessments, and developing privacy policies and procedures), and others are designing and implementing operational controls (like getting cookie consent, incorporating various notifications and other consents, and addressing cross-border data transference). The next phases will be to manage and enhance those controls (think Data Protection Impact Assessment or DPIA and breach responses) so that ultimately the company can demonstrate ongoing compliance (think certifications, reporting, and resolving disputes). 

Andy Kubitschek VP of Technology here at Plus Relocation, advises that, "The need for mobility teams to understand GDPR and how it impacts the data they share and expectations they impose on their RMCs is critical. Global mobility teams, relocation management companies and all the downstream supply chain, must understand their obligations, responsibilities and requirements, and then build out a process that is GDPR compliant."