Little more than two months have passed since the General Data Protection Regulation took effect, but the chief legal officer of a worldwide analytics and data management software company has already had some noteworthy surprises.

John Boswell, executive vice president and chief legal officer of the SAS Institute Inc., which is based outside Raleigh, North Carolina, said he spent six years preparing for the arrival of the GDPR, a sprawling new privacy and security law that applies to companies that process the personal data of people living in the European Union.

“It cost us millions of dollars in time and effort and energy,” Boswell said, noting that failure to comply with the new regulations could result in a fine of 4 percent of a company's worldwide revenue. For SAS, which has customers in 147 countries and reported $3.24 billion in revenue last year, such a fine would amount to more than $120 million.

|

Secret Shoppers

In the weeks after the GDPR was unleashed on May 25, Boswell wanted to test employees' readiness. He asked other lawyers at SAS to have their spouses or assistants call an SAS office and, posing as European citizens, request their personal data under the GDPR.

The law says European citizens are entitled to know what information a company has about them, how the company obtained that data and how its being used. SAS had established a program in which its employees were supposed to either refer people requesting their data to certain SAS representatives or an online resource that would provide the information being sought.

In other words, SAS had a system in place and employees simply had to follow it.

But that's not what happened.

“After we had done hours and hours of training, we did [the calls] and we were shocked at how poorly we did as a company,” Boswell said. “It showed us that although we did all this training, we weren't doing it right or we weren't as effective.”

While the results of the test were disappointing, Boswell used the experience as a teachable moment to “see where we missed the mark.” He said he plans to test another random sample of SAS's more than 14,000 employees at some point in the future.

“You can't assume that people are paying attention to the message you're sending out,” he added. “If you don't stress test it then you don't know.”

|

Employees Wield GDPR Sword

A second GDPR eye-opener came when some of the company's employees in Europe began leveraging the new law to get their hands on all the data that SAS had on them, including reviews and reports that upper management created without the intention of sharing it with the employees in question.

In some of the reports, managers identified employees who needed more training and others that could be fast-tracked for promotions.

“In Europe, there isn't generally the same right of discovery that there is in the U.S. But now, if you have a disgruntled employee, they can use the GDPR obligations to get all the data you have about them,” Boswell said. “And I don't think many people thought about the fact that the GDPR is a backdoor way of getting discovery in litigation with a disgruntled employee.”

So far, SAS hasn't seen any employee lawsuits bubble up as a result of the GDPR-required disclosures, but Boswell said he “sees the potential for us and for any other company that has employees in Europe.”

“Now you have to give a second thought to any document you create about an employee,” he added. “If you want to figure out who are your best employees, don't write that down.”

|

Silver Linings and 'Meaningless Work'

Not all of the GDPR-related revelations have been bad, Boswell said. For instance, he said the new law made him realize that his company's 52 subsidiaries were essentially handling human resources data in 52 different ways.

“This gave us an opportunity to get our arms around it,” he said. “And we will be more efficient in handling that data.”

As SAS works to streamline its HR data practices, Boswell eagerly awaits additional guidance from the EU Data Protection Authorities that enforce the GDPR.

Under the law, the definition of personal data is broad, encompassing everything from Social Security numbers to email and IP addresses. This means SAS has to jump through new regulatory hoops whenever it shares a bank of emails with another company to validate software, Boswell said.

“Over time, hopefully we will get a sense from the regulators in Europe as to what they care about and what they don't,” he said. “Right now, every company in the world is out of compliance with the GDPR in some way. The only question is how bad is OK?”