Following is part 2 of my conversation with Vasileia Lellou, attourney and global data privacy guru.
1. Do you see any major differences between employer actions in the EU vs. the US?
In the past, there was a huge difference between companies located in the EU vs. the US, regarding data protection. After the implementation of the GDPR, the US based companies had to catch up with the practices applied in the EU. In particularly, for international organizations, this became a requirement. Not only in order to protect personal data, comply with relevant laws and avoid fines imposed by the authorities, but also in order to protect the reputation and image of a company. Readers can follow this link for an overview of what GDPR is all about https://www.investopedia.com/terms/g/general-data-protection-regulation-gdpr.asp
Currently, the major differences between employers is mostly the size and nature of a business. Also, within the EU, there are differences when dealing with personal data depending on the country that a company is based. Next to the applicable data protection regulations, the data protection authorities play an important role on the development of the data protection mentality in a country. But still, I would say that companies that deal with large amounts of personal data (employee or customer data) and in particularly, with sensitive data, are more active in data protection matters.
2. We know the EU is more advanced on data protection regulations than the US – are there any new regulations that have been promulgated in the EU since Covid took over our lives?
This is right. The EU had to deal and comply with data protection regulations long before the US. That means that a lot of European countries and, especially Germany, were used to implementing data protection regulations and take privacy issues into consideration already before the implementation of the GDPR. Of course, not to the extent that this is done today.
I have been working in this field for more than 11 years and have seen a huge development. For example, in the beginning I had to explain what I did in my job. Nowadays most people know.
New regulations have been discussed and implemented in the last years, not only due to Covid, but also to technological development. The digitalization demands new regulations in order to be able to protect personal data as far as this is possible.
Since Covid, there have been new local regulations on national level. This was necessary in order to define how personal data related to Covid could be processed and when these data could be collected.
These regulations also defined for how long can Covid data be kept, where they can be transferred, who can process them etc
Of course, we were already processing sensitive personal data before Covid, but not to this extent. The limits have been broadened. Nowadays, the authorities need information in order to give guidance and take decisions. The employers, doctors, laboratories have to collect, keep and share vaccination and illness data. So, you can imagine that a large amount of health data is processed on a new basis. And for this, new regulations were needed. So new legislation, but also guidelines from the data protections authorities, have been issued.
3. What data privacy violation patterns are you seeing in your practice?
I am not sure, I could call them patterns. What companies definitely struggle with, are data breaches. Not only the breaches due to technological failure, but also incidents that happen due to human mistakes. Most of the data breaches are caused by a wrong action of a human being (sending an email to wrong recipients, granting access to an unauthorized person etc). A data breach is a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. I strongly believe that each and every company needs good employee trainings in order to raise data protection awareness and protect the security of data.
4. What challenges are employers struggling with the most? What solutions do you suggest?
I have worked with numerous companies in various jurisdictions globally. The most common challenge in data protection is knowing your data and data flow. Lots of companies do not have a clear picture of the personal data that they process, where these data are stored and how long they should be kept.
So, my recommendation and first step, would be to identify your data.
The ideal way would be to define a team with key persons from all departments, especially HR, IT and sales. Then identify the tools that process data and the non-IT processes related to personal data (eg paper HR files). Analyse which categories of data are processed, by whom and for which purposes, where are data kept, for how long, who has access, how data are protected (technical measures) and assess the data protection risks. I realize that this procedure demands time and resources, that also produces costs, but after a good data mapping, it works much easier and faster for employers to head effectively towards compliance and also be able to demonstrate that they are taking effective compliance steps (accountability principle).
5. If an employer is headquartered in the US and has operations in the EU, do they have to follow the EU data privacy regulations?
The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not.
US companies must comply with the GDPR also if the processing of personal data of data subjects who are in the EU, takes place by a controller or processor not established in the EU, if the processing activities are related to the offering of goods or services or the monitoring of their behaviour as far as their behaviour takes place within the EU.
So, the answer would be yes for the EU operations and also for the US HQ if the processing activities are related to the offering of goods or services or the monitoring of behaviour within the EU.
6. Do you have any suggestions for employers that are making remote work a permanent feature of the employment relationship?
The Covid era showed lot of businesses that remote working is possible and, in some cases, it is also preferred by the employer or even the employee. I keep reading studies indicating that remote working will be the new reality also after Covid.
My suggestion for employers from a data protection perspective, would be to map their personal data flows in order to have a good basis for the implementation of any necessary measures.
Next to that, it should be made sure that they cooperate with providers that keep high IT standards and ensure data protection compliance requirements. Especially in a digital environment, this is really important for the safety and security of employee but also business data.
7. Speaking of remote work, what should employers be doing to protect data privacy in the remote environment?
Invest in IT, follow the principles of privacy by design and default
Use state-of-the-art tools
Cooperate with “serious” partners
Consult a data protection specialist
Have excellent data access management
Ensure cyber security
Define and implement policies
Training on the policies