Does your company control or process personal data of employees residing in the European Union? If so, be aware of the upcoming implementation of the General Data Protection Regulations (GDPR). The deadline for complying with this considerable change in law is May 25, 2018. If your company hasn’t done so already, it’s time to get to work on this. Considering the monumental size of potential penalties for failing to comply, every company with people in the EU needs to be thinking about the GDPR.

The GDPR significantly expands the jurisdiction of the EU’s data privacy regulatory framework to companies processing or controlling the personal data of employees or other individuals residing in the EU -- regardless of the company’s location.

Under this new regime:

  • Many employers will have to do data protection “impact assessments” before processing data.
  • There will be tougher rules on obtaining employee consent to process and share personal data.
  • Some employers will have to appoint a data protection officer.
  • Employees will have greater rights with respect to access and control of their personal data.
  • There will be stricter record keeping requirements on employers.
  • There will be stricter employer reporting obligations to the data protection authority(ies).
  • There will be significant penalties for committing a breach, including up to 4 percent of annual global revenues or €20 Million (whichever is greater).

The Bottom Line: There is still time for impacted companies to bring themselves into compliance with the applicable requirements, but May 2018 is fast approaching. Companies covered by these regulations should not delay in getting familiar with them so that the company can take any necessary remedial action as soon as possible. Failure to do so could expose the company to significant penalties—the greater of 4 percent of global revenue or €20 Million.