Europe, Boring Until it's Not

[BjornP]

If it's a directive, and not a regulation or law, doesn't that also mean there's more leeway in the extent to which each country can interpret it? As in, by design?

[K@th]

The confusion is great and everyone is waiting in great anticipation for the first cases to be heard.

That's super. A regulation we are required to follow that nobody understands. What could go wrong?

You have to implement your compliance policies before we'll show you what the compliance policy is. ~Nancy Pelosi of Europe

I keep asking how someone's work email, employee ID and work email address can be considered personal information, though. Nobody has answered that to my satisfaction.

[K@th]

If it's a directive, and not a regulation or law, doesn't that also mean there's more leeway in the extent to which each country can interpret it? As in, by design?

We can't do business in Europe unless we implement a program to strip away all this data within 30 days of the employee leaving. It's bizarre, because some of our projects take months, so an employee who asked for something to be done, and we go to do it, but now we have no idea who asked for it, because that person left the company two months ago.

Crazy.

[Hastur]

The confusion is great and everyone is waiting in great anticipation for the first cases to be heard.

That's super. A regulation we are required to follow that nobody understands. What could go wrong?

You have to implement your compliance policies before we'll show you what the compliance policy is. ~Nancy Pelosi of Europe

I keep asking how someone's work email, employee ID and work email address can be considered personal information, though. Nobody has answered that to my satisfaction.

I don't think it is unless it can somehow be connected to something personal, like an address, payroll or phone number. You're not allowed to keep those entries after a certain amount of time. Just delete everything that is personal and connected to people you no longer do business with.

[nmoore63]

The point of written law ceases to be if people do not know before hand what is being asked of them.

[BjornP]

If it's a directive, and not a regulation or law, doesn't that also mean there's more leeway in the extent to which each country can interpret it? As in, by design?

We can't do business in Europe unless we implement a program to strip away all this data within 30 days of the employee leaving. It's bizarre, because some of our projects take months, so an employee who asked for something to be done, and we go to do it, but now we have no idea who asked for it, because that person left the company two months ago.

Crazy.

From what I can google on the directive, the employee has no right to demand his data be deleted until at least five years after end of finished employment. That's the limit to how long an employer can retain personal data on former employees (if we're talking hiring contracts, copies of timesheets, end of employment contract). At least according to a Danish accounting firm's site on the matter of the directive, I'm looking at right now.

[BjornP]

Don't know if it will actually help you or what sort of guidelines or documentation your company's given you to work from, Kath, but this is the official site for the GDPR site, and the section dealing with how companies should respond to it:

https://ec.europa.eu/info/law/law-topic ... sations_en

Also did a brief search for a US firm advising on the GDPR and found this result:

https://www.whitecase.com/publications/ ... regulation

[K@th]

Don't know if it will actually help you or what sort of guidelines or documentation your company's given you to work from, Kath, but this is the official site for the GDPR site, and the section dealing with how companies should respond to it:

https://ec.europa.eu/info/law/law-topic ... sations_en

Also did a brief search for a US firm advising on the GDPR and found this result:

https://www.whitecase.com/publications/ ... regulation

So, it really is loosey-goosey

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

So, I suppose if the employee had put his employee number somewhere, for whatever reason, and some random person gets access to my system, and finds that number, they could theoretically compare the two numbers. It's a long way to get there, though.

Either, way, I have 10 hours in this already, with easily 30 more to go to scroll through every table that has an employee ID, which is hundreds. I'm just one small system.

This is costing our company thousands of hours, I'll bet. What I have to do is nothing compared to what others have to do.

They should be very, VERY clear on what is PII, because nobody really has a great understanding if a work email address is PII, so we are caring for it, just-in-case.

[BjornP]

Hey, maybe if you hired Hastur's company, they could cut down on the manhours you guys need to process those requests? Quite frankly, as with so much coming out of the EU, I didn't even know it existed until you brought it up. Knew about general data protection rules, but not that they extended to what employers could store of employee data.

[Hastur]

If it's a directive, and not a regulation or law, doesn't that also mean there's more leeway in the extent to which each country can interpret it? As in, by design?

It means it's doesn't apply automatically and uniformly to all EU countries but all member states must implement it into their national laws before a deadline. In this case, the deadline is May 25, 2018.