The European Union’s (EU) General Data Protection Regulation (GDPR) went into effect on May 25, and its impact reaches across the pond to many U.S.-based businesses that collect, use or store data from EU residents.
Many U.S.-based companies are still trying to figure out whether the regulation applies to their organizations. More than half (52 percent) of 400 U.S.-based companies surveyed by The Computing Technology Industry Association in April of this year reported that they are still exploring the applicability of GDPR to their businesses, have determined that it is not a requirement for them or are unsure. Of the remaining businesses, only about one in four (27 percent) said that they are fully compliant—and that was just one month shy of the deadline.
Although the rule does not directly address 401(k) or other benefit plans, it should be of particular interest to plan sponsors because of the personal information that their organizations and service providers possess for each participant. Even U.S. companies that do not have any EU employees or clients, and do not market to EU residents, may still want to consider following GDPR guidelines because many experts believe that the regulation will eventually become the standard for data privacy across the globe.
Here, we will explain the main points of GDPR and what it means for benefit plans.
What is GDPR?
The EU passed GDPR in April 2016, and the rule is effective as of May 25, 2018. It updates and unifies the 28 implementations from the 1995 Data Protection Directive and gives EU citizens unified and broad control over their personal data and information. It sets new, stricter standards of accountability for companies that collect, process and use data gathered from EU citizens. There are also strict breach notification and data documentation requirements. In addition, EU citizens can ask an organization how their personal information is used, stored, protected and transferred.
Do U.S. Companies Need To Pay Attention?
It depends. GDPR applies to every organization that houses personal data of, provides products or services to or markets to EU residents. Companies do not necessarily need to have a physical presence in the EU; if they have EU resident data, the rule applies. For example, if a U.S.-based plan sponsor has employees who are EU citizens living in the U.S., GDPR applies to that company. If a company collects information from EU citizens via its website, GDPR applies to that company.
Additionally, companies will now be responsible for showing that they are complying with the regulation—or face severe penalties. For instance, certain organizations that do not report a data breach within 72 hours of discovery can face the maximum fine of up to four percent of their global annual revenue or €20 million, whichever is greater. GDPR can also force an organization in violation of its rules to stop collecting personal data. There are many factors that will impact the level of penalty.
What Is Considered Data Under The Rule?
The definition of data under GDPR is rather broad. The regulation says “personal data” means any information relating to an identified or identifiable natural person. That means any kind of information that can identify a person either directly or indirectly. This includes email addresses; pictures on Facebook or other social media websites; browser cookies; human resource information that connects names to job titles; and internet searches and other online activity that can be traced back to the user.
Benefit providers or plan sponsors need to understand what data they have and how it is used by the organization so it can be identified, monitored and protected. Further, organizations will need processes in place to respond to data subject access requests, such as the right to be forgotten.
It is important for plan sponsors to understand that GDPR requirements extend beyond data stored at their companies; GDPR requirements cover data collected and stored by an organization’s service providers, as well as any sub-contractors. Organizations need to determine the types of personal data they store, where it resides, who can access it and what it’s being used to do. Recordkeepers, plan attorneys, consultants, payroll companies and third-party administrators are the types of service providers who may have access to personal data. The organizations engaging these service providers have obligations under GDPR and should be thinking about how to structure or amend contracts to address standards for data collection, storage and use.
What Are Individuals’ Rights Under GDPR?
One of the main tenets of GDPR is that EU residents have certain rights related to their personal data. Companies must ascertain an individual’s consent to use their data. In addition, companies must inform individuals, in clear and plain language, of their rights to their personal information, including the right to know what of their data the organization is storing and why the organization is storing it and the right to be notified of a breach. Under Article 17, individuals have the right to request to be forgotten (deleted) from an organization’s records and systems.
Insight: Data Protection Is a Core Competency
Successful businesses must constantly respond to new threats, and in today’s environment, cyberattacks and data breaches have emerged as a high priority for businesses of all sizes. While GDPR has raised the stakes and codified the requirements for data handling and protection for many companies, it is simply the next step in what will be an evolving journey for companies and regulators.
Regardless of whether GDPR applies directly, plan sponsors have a fiduciary responsibility to act in the best interests of their plan participants. In addition to creating significant legal liability to plan sponsors, data breaches can pose a major threat to participants’ financial well-being and peace of mind. Conducting careful reviews of procedures used by the company or its providers to collect, store and use personal data should be an essential part of a company’s retirement plan and benefits offering.
Building data privacy considerations into business functions is a competency that organizations must develop and continually strengthen.
Warren Averett is an independent member of the BDO Alliance USA. This article was borrowed with permission from BDO USA, LLP.