GDPR privacy updates flooding inboxes, confounding organizations in U.S.

Thank GDPR if your e-mail inbox is flooded with privacy notices from everyone from the big guys such as Twitter, Facebook and Google to small sites you’ve long since forgotten about visiting. 

Thank GDPR if your organization is struggling to figure out how to comply with the European Union’s General Data Protection Regulation. The giants are struggling, too. Google, Facebook, Instagram and WhatsApp were the first to face privacy complaints under GDPR. Other companies, such as Pottery Barn and the Los Angeles Times simply suspended interactions with EU countries.

And if you’re having trouble deciphering all of this and what it means to you, you’re not alone. Though the sweeping privacy law was approved two years ago, with 11 chapters and 99 articles over nearly 90 pages of dense text, it’s a lot to decipher for even the most sophisticated privacy professional. And that’s just the EU portion of it. The EU’s 28 member states can enact laws that expand the regulations.

As a result of the complexities involved in understanding and implementing GDPR requirements, more than half the companies covered under the law didn’t expect to be compliant by the May 25, 2018 deadline, Burnette Shutt & McDaniel attorney Jax Pavlicek says. She’s also a privacy professional and co-chair of Columbia’s International Association of Privacy Professionals KnowledgeNet Chapter.

As a privacy attorney in Columbia, SC, she’s poised to help U.S. companies with the new European privacy law.

GDPR’s goal is simple: give people more control over personal data. It establishes eight core rights, including the right to be informed of how the data is used and the right to access the data,. It also establishes the right to have data corrected or erased.

On the business side, GDPR covers establishments controlling or processing data located in the EU. It applies to for-profit and non-profit organizations operating outside the EU if they offer goods or services to EU data subjects or monitor their behavior.

Companies with even a small presence must comply or run the risk of steep fines.

The impact on employers can be significant, too, Pavlicek said. As part of standard operating procedure, business hold  employee’s biographical, demographic, financial and health data and more. That information also is frequently collected on consultants, independent contractors and gig economy workers with an organization.

U.S. businesses and GDPR compliance

Under GDPR, companies must make sure everyone consents to data collection and processing — even employees. They must notify employees of the type of data and the length of its storage. The notification must also advise employees of their rights to access the data and to ask that it be erased.

The first step for organizations working toward compliance is to inventory the data they hold.  This is frequently the most cumbersome step on an organization’s journey to compliance with privacy laws, including GDPR.  The inventory also examines where an organization’s data about individuals originated, where it’s stored and how it’s shared, Pavlicek says. It’s also important to craft a privacy notice in clear, plain language to ensure individuals understand what happens with their information.

There are various steps that an organization must take to achieve compliance. Part of that process includes making sure employees handling protected data are trained to follow the organization’s data protection policies.

Pavlicek is poised to help businesses in Columbia and beyond determine which privacy laws they must comply with. She also can help them assess whether they need to make changes to comply with GDPR. She also can assess an organization’s overall data policies and procedures and recommend changes. Contact her at 803.904.7914 or at jpavlicek@burnetteshutt.law if you need help.