Podcast: Why the EU's General Data Protection Regulation Matters for US Employers
On May 25, 2018, the European Union's new General Data Protection Regulation (GDPR) takes effect, bringing about the most significant change to European data security in more than 20 years. For the first time, data breach notifications will be mandatory for employers in all 28 EU member states. And that's not all.
On this podcast, Littler Mendelson employment attorney Philip Gordon, who co-chairs the firm's Privacy and Background Checks Practice Group, examines what the GDPR means for US businesses. Gordon cautioned, "Anyone who markets products over the web will have reason for concern and will have to look at their website privacy policy."
According to Gordon, some other key warnings regarding the GDPR include:
- Any US company with employees in the EU will need to address the GDPR (even a small business with a sales representative in Europe);
- Any US company that offers products or services to EU residents is covered by this new privacy regulation; and
- Covered employers must provide notice to their local supervisory authority within 72 hours of first becoming aware a data breach.
Gordon also noted that EU regulators view consent very narrowly. "They believe employees cannot freely give consent because of the hierarchical nature of the employment relationship," he said. "They'll feel like they are forced to agree to keep their jobs." That means US employers cannot evade the GDPR by having employees sign opt-out agreements. Instead, Gordon stressed that employee consent to share individual data must be unambiguous.
