“What’s in a name?” Juliet mused to Romeo centuries ago. While Shakespeare’s question is still profound, in the 21st century we’re far more likely to ask, “What’s attached to a name?” – what personal data related to my health, or finances, or friends and family, is being shared electronically, by whom, with whom? It’s that question, rather than the Bard’s, that currently has all the world a-buzz.
Enter the General Data Protection Regulation (GDPR), a regulation in European Union (EU) law on data protection and privacy in the EU. Significantly, GDPR has sharp teeth, such that every business operating in Europe or that touches EU citizens has had to sit up and take notice. Rest assured Northern Light is paying attention.
There is a lot of publicity about huge fines against companies for GDPR violations. For example, Google was fined €50 million by French regulators for not disclosing information in an adequate manner about the data Google collects from users of Android mobile phones. (Google spread the information across several online documents instead on putting it all in one document.)
The only personally identifiable information Northern Light processes are the names and email addresses of client employees. It turns out that this type of information carries a low risk of major fines related to the GDPR. For example, a recent review of 560 GDPR and other data regulatory fines levied by data privacy regulators since the GDPR went live (all the ones that are publicly disclosed) revealed that not one of them related to processing only employee names and email addresses. In every case that involved employees, fines were levied for disclosure of items like employee health records, employee financial records, monitoring of employees at work with cameras and GPS trackers, problems with employee agreements, collecting personal information without a valid business purpose, or looking at employee private email messages without their knowledge.
Northern Light is not involved with any of these activities on behalf of clients. In the one case that was vaguely related to what we do for clients, there was a $500 fine (not a typo: five hundred dollars) when a company failed to respond in a timely manner to an employee request about the personal information the company held. Had that company been a Northern Light client (it wasn’t), the client portal administrators could have looked up the employee in their portal statistics section and answered such an inquiry instantly.
Of course, the lack of interest of the GDPR regulators in pursing employee data-related fines for the type of information Northern Light processes does not mean we can be lax in our practices. Rather, we have to maintain our commitment to industry best practices to protect the personally identifiable information in our care and to enable our clients to avoid regulatory issues. This involves diligent attention to data security, EU-US Privacy Shield certification, and GDPR-related features like instantly available reporting and “the right to be forgotten” in the SinglePoint application.
So speak not of roses still smelling sweet regardless of what they’re called; speak instead of personal data security and privacy protections – and you’ll keep corporate compliance officers and government regulators off your back, and your company’s money in its pocket.