How does GDPR affect cross-border employment?

Back to News

GDPR is an EU regulation that obliges organisations to protect personal data and privacy of EU citizens. On the surface, this important legislation may only seem relevant for businesses which operate within the EU, however, even if your business is based outside of the EU you might still need to ensure you’re compliant.

What is GDPR?

General Data Protection Regulation (GDPR) introduced new data protection responsibilities for any organisation that collects the personal data of EU residents. The legislation gives people new rights and more control over their information, including the right to withdraw consent and opt out of receiving communications.

The legislation, introduced in May 2018, applies to organisations that process EU resident’s data. This includes companies outside of the EU that offer goods or service to EU residents.

Fines for non-compliance are hefty; €20 million or 4% of global revenue - whichever is greater.

Why does it exist?

GDPR exists due to public concern over privacy and companies losing their data. It replaces the previous EU Data Protection Directive from 1995, a time before the internet and operating online. The old legislation didn’t address how data is stored, collected and transferred in today’s modern world, so change was necessary. Companies now need to consider whether the way they store personal data is compliant, ensuring there are sufficient measures to protect people’s information.

Studies have shown there is growing concern among the public over data breaches and hackers getting hold of their personal information, such as email addresses, passwords and bank account details. This means there is a rising need for businesses to monitor and protect people’s data in our increasingly digital world.

How does GDPR affect non-EU countries?

Companies that store or process personal information about EU citizens need to comply with the legislation, even if they do not have a physical presence in the EU.

If you are a business outside the EU, you need to be GDPR compliant if you process personal data by:

• Offering goods or services to people in the EU and/or
• Monitor the behaviour of these people as far as their behaviour takes place in the EU (e.g. you employ people in the EU)

If this sounds like your business, you need to seek advice and take immediate steps to become compliant.

My business is based in the USA: do I need to be compliant?

As mentioned above, just because your business is based outside the EU doesn’t mean you are safe from GDPR constraints.

If you employ staff in the EU but your base is in the USA, you still need to be compliant in how you collect your remote workers’ data, such as addresses, emails and credit card details.

What to do next

You can take steps to minimise the risks associated with GDPR by working with a Global Professional Employer Organisation Service (PEO) in the EU, like us.

We provide full professional employer services to our clients. This means that we become the legal employer of record for your employees and consultants across the globe. As the legal employer, we are authorised to collect your remote employees’ personal information and ensure it is GDPR compliant.

We can help you to adhere to GDPR and other local employment regulations across the world, allowing you to expand your operations and maximise your service offering.

So, if you have EU citizens on your payroll get in touch with us today to see how we can help your business thrive, while remaining within EU legislation.