One of the biggest stories from the first half of 2018 was the implementation of the European Union’s General Data Protection Regulation (GDPR). For U.S.-based companies, there’s a strong temptation to throw your hands up and say, “So what?” But the main thrust of GDPR’s policy is personal as opposed to geographic. In other words, the GDPR provides protections to individuals, specifically EU citizens, no matter where they are or where their data are kept.
The regulation is complex, but at its core, it’s about regulating how the data of EU citizens are collected and stored. Companies that have or want any economic ties to the enormous EU market need to be aware of its impact.
A Reach Beyond European Union
“GDPR’s reach only technically extends to the EU, but it will also impact U.S. employers that have personnel within the EU or that have a location within the EU,” as one expert puts it. In light of these changes, some employers, including Microsoft, are choosing to adapt their protocols worldwide.
Some experts argue that the provisions of the GDPR may eventually become universal and not limited solely to the European Union. That’s because big international companies don’t want to adhere to two complex regulatory standards, and many find it less burdensome to adopt the stricter standard than have separate policies for both.
A parallel example can be seen in automotive companies choosing to have all vehicles adhere to California’s strict fuel economy standards rather than having two separate versions of each vehicle.
Responding to GDPR
For multiple reasons, American companies should make sure they are well-versed in the requirements of the EU’s GDPR. For one, they may have European employees or business units located within the European Union. Additionally, it’s possible that what now seems like a high-bar standard for personal data privacy may soon become the norm in a large part of the world, including the United States.
In a follow-up post, we’ll talk about some specific concerns facing American HR departments with respect to the GDPR and what they should do to address them.