10 Jul What is this GDPR thing I keep getting notices about?
Privacy! That’s what. Specifically, the protection of privacy for European Union and a few other countries’ citizens. So, if you’re a business like ours, that has clients with plan participants and/or shareholders all over the world, you need to be compliant with the GDPR rules.
What does GDPR stand for? General Data Protection Regulation. The regulations were agreed upon in December of 2015 and the implementation date was May 25, 2018 (hence the recent slew of emails you’ve received from everyone).
Basically, the EU has established very strict rules about how their citizen’s private identifying information (PII) can be transmitted, stored and processed. In particular, it strives to eliminate the sharing and use of data for purposes not intended by the individual. In addition, the EU doesn’t think that we in the United States and other countries outside the EU have strict enough protections for PII, so they have implemented rules that require entities, such as Plan Management, to meet their standards of data protection. (If you have employee contractors or consultants in any EU countries whose PII is handled outside of the EU, you should make sure the providers handling that PII are now GDPR compliant.)
What’s different about GDPR. The two main differences are; 1) The individual has more control over their data via opt-in, opt-out, and clear pathways to recover damages from a breach of GDPR, and, 2) if there is a failure to comply, somebody is going to pay for it. The GDPR clearly establishes and divides responsibilities between what they call “controllers” and “processors” and “sub-processors”.
The controller is the entity that gathers the PII from their employees, etc., and, gets the employees’ opt-in. For example, if you are a company that has an equity benefit plan with participants in EU countries, when you gather the participant’s information to grant them awards, you must either ask them for their permission to store and transmit their data to a processor, or be able to show that you are doing so under some lawful basis such as the necessity of legitimate interest, the necessity for performance of contracts. The processor is a company that processes information for and about the plan and the participants (like us, Plan Management). If it is a processor outside the EU, then the processor must be GDPR compliant. A sub-processor is any sub-contractor that a processor uses that has access to the PII for processing and, therefore, must also meet the requirements of GDPR.
For a look at the actual GDPR regulations, here is a link: https://gdpr-info.eu/
You may also have heard about the EU-US Privacy Shield. This is an agreement between the US and the EU under which a processor, such as Plan Management, must demonstrate compliance with the EU privacy protection rules and get certification from the U.S. Department of Commerce via the Better business Bureau. PMC is proud to have recently become EU-US Privacy Shield certified.
If you have any questions about how GDPR or EU-US Privacy shield impact your equity plan participants or shareholders, feel free to give us a call or send us an email.
888-678-8729 or [email protected]