GDPR: Regulation with Wide Reach and Deep Consequences

By Cara Murray, Assistant Vice President, Alliant

Multinational companies are currently, or should be, preparing for the European Union’s General Data Protection Regulation (GDPR) to go into enforcement on May 25th 2018. The GDPR is replacing the EU’s prior information protection regulation, the Data Protection Directive, continuing the European Union’s strict requirements for organizations that collect and use information of EU citizens. On the whole, the regulatory regime in the EU is designed for the benefit of information subjects – the people whose information is being collected and used and stored.

The updates included in the GDPR are based off both the continued evolution of data-collecting technology and data usage, as well as the evolving regulatory regime relating to data around the world.

One of the major provisions of the GDPR is its applicability to any organization maintaining or processing data of individuals residing in the EU regardless of the location of the company itself. As data can move easily across borders, it is quite common for information to be processed outside of the region where it was collected and where its subject resides; this regulation now asserts that jurisdiction follows the data wherever it goes when it pertains to EU citizens.

From an information risk perspective, the following two provisions may be the most significant.

While it is widening the EU its jurisdiction through the GDPR, it is also narrowing its notification windows; the regulation requires organizations to notify regulators of a breach within 72 hours of first awareness of the breach event. Once the enforcement period starts, companies will need to have a clear plan in place regarding how to provide notification when they discover a data breach event, because they will not have time to learn through experience.

And the biggest headline-making aspect of the GDPR: companies can be fined up to 4% of annual global turnover or €20M (whichever is greater) for serious data-related infringements. The penalties are set up on a tiered basis, so more basic violations such as notification failures or record-keeping errors could be subject to fines of 2% of annual global turnover. That said, these are serious penalties, designed to push companies to actively obtain and maintain compliance, and with the teeth to seriously punish those who fall out of compliance.

At this very high level of review, it is clear the GDPR has significant potential impact for organizations around the world that in one way or another maintain information about EU citizens. With enforcement still on the horizon, it remains to be seen if that potential impact holds up in practice.

The suspension of EEO-1 pay data reporting requirements does not mean U.S. companies are off the hook for pay disparity

By: Kamy Vacca, Senior Vice President, Alliant

At the end of 2016 new guidelines were passed requiring U.S. based employers to review the pay of all employees and to report on wage disparities in their EEO-1 reports beginning in March 2018. Many employers viewed these new requirements as overly burdensome. Apparently the White House agreed, suspending implementation of the rules, much to the relief of most U.S. companies who felt this requirement would not adequately reflect the reasons for any pay gaps. Companies would have been required to report W-2 wage information for every employee along with specific salaries divided up into 12 pay bands. What this report did not require were specific qualifications such as education, experience, productivity, performance and other measures that are utilized to determine individual compensation. The new guidelines would have required employers to modify the wages of those within each pay-band that were underpaid, as salaries could not be reduced for those who received higher salaries.

The suspension does not mean that companies cannot still be found to be in violation of the Equal Pay Act or for multinational companies, violations of the laws of other countries, such as the UK and others.

Multinational companies based in the U.S. with subsidiaries in foreign jurisdictions must comply with the local laws. The Equality Act of 2010 in the UK requires reporting by the end of March or April of this year, depending on whether the company is public or private. Those reports are starting to be published and we have seen at least one lawsuit against Tesco, in excess of $5 Billion. Link below:

Should the U.S. proceed with the new EEO-1 reporting requirements, companies could see lawsuits arising out of various violations of the Equal Pay Act, discrimination, and other alleged employer wrongdoing. Publicity over non-compliance, or over apparent inequality in pay, may also lead to reputational damage. The EEOC and state agencies may choose to use such disclosures as the basis for class action activity as well.
Many companies had already begun the evaluation process. At this point, companies may consider attempts at closing or reducing the gap before being required to disclose any equality, which would obviously help with results.

It may be time to take a look at your EPL Policy and review some of the policy provisions to ensure you are adequately covered. Below are some questions to consider:

Does your EPL Policy have express coverage for back pay? This could be an element to consider if disparate wages must be adjusted upward, particularly if a court may require the employer to make up for prior underpayment of wages.

Does your EPL Policy have true worldwide coverage or is the worldwide coverage limited by having a requirement that claims have to be brought in the U.S.? This is significant right now as the U.K.’s pay disclosure requirement is coming into effect.

There are numerous other insurance issues that may be implicated in regard to pay inequality. A review of all potentially applicable insurance policies is certainly warranted at this time, even if the current legislation has been put on hold.