Data Safety and GDPR Compliance your Mobility Program Can’t Ignore
Learn how the GDPR has shaped current data privacy obligations and data safety best practices to protect your mobility program.
Personal employee data is an indispensable asset to any business today but is especially critical for globally mobile organizations. Employee data is used in all aspects of the mobility process, from assignment administration to program management. Without necessary personal data, an entire mobility program would come to a standstill.
While globally mobile companies recognize the importance of their processed data, that recognition must also include the risks connected with processing and storing that data. Data security and privacy penalties shouldn’t be taken lightly, and measures to prevent breaches and data mishandling should be at the forefront of your mobility program policies.
GDPR, the gold standard for global mobility data compliance
Put into effect in 2018, the General Data Protection Regulation (GDPR) is the strictest privacy and security law globally. Though the European Union (EU) enacted it, it imposes obligations onto organizations anywhere, so long as they target or gather data related to individuals in the EU. If your organization collects, utilizes, or stores personal data belonging to individuals and/or their relations located in the EU, it must comply with the GDPR’s privacy and security requirements.
The GDPR affords individuals increased rights over their data and personal information gathered and utilized by businesses. Organizations now hold a more significant responsibility to protect information belonging to their users, consumers, and employees.
If your business violates its privacy and security conditions, the GDPR will levy substantial fines that may reach millions of euros. In addition to costly penalties, mishandling data leaves your organization at risk of losing credibility and damaging employee trust.
USA’s own GDPR, the California Consumer Privacy Act (CCPA)
Organizations with a presence in California are subject to the California Consumer Privacy Act (CCPA), which is a stateside equivalent of the GDPR. Like the GDPR, the CCPA regulates how businesses collect and utilize personal information and enforces financial penalties for noncompliance.
What does the GDPR mean when it says “personal data”?
A wealth of employee personal data is required to run a functional global mobility program. Employee’s personal information is necessary for virtually all aspects of an assignment lifecycle, from visa and immigration-related matters to cost estimate calculations and household goods transportation. Because GDPR compliance hinges on the protection and proper handling of an individual’s personal data, it’s imperative that global mobility specialists understand what information falls within the GDPR’s definition of “personal data.”
GDPR Article 4, the GDPR defines “personal data” as:
“‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Importantly, GDPR’s definition of personal data includes “objective” information, such as an assignee’s age, and “subjective” information, such as employee reviews and evaluations. Personal data isn’t confined to any singular format; video, audio, and photographic data may also include personal data.
Sharing employee personal data with your mobility program vendors and partners
As mentioned earlier, personal data is necessary for all phases of an assignment. Program vendors and partners will likely need access to personal data in order to facilitate service to your employees during their assignments. For example, relocation management partners will need an employee’s address, which is considered personally identifiable information, to transport household goods. Cost estimation calculations require sensitive employee tax information and may, in the case of Germany’s church tax, even necessitate special data such as religious affiliation.
When sharing required data, organizations must continue to uphold GDPR compliance with service providers and the providers’ agents. When assignees share their personal information with your organization, there’s an implicit trust that their data will be handled appropriately; this trust includes responsible data handling by your third-party providers. It’s a best business practice to ensure your vendors and partners uphold comparable data protection standards as your organization, so employees’ confidence in their data security is justified.
The information you provide to your third-party partners should be the necessary minimum needed to enable them to provide services and no more.
Data security and safety best practices for GDPR compliance
- Encrypt, anonymize, and pseudonymize any collected data.
- Collect the absolute minimum amount of data necessary.
- Ensure you communicate that employees may request copies of their collected data, request data deletion, or opt-out of specific data collection.
- Provide transparent details about your data processing and collection methods “in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. (Article 12)“
- Appoint someone in your business responsible for GDPR compliance, including assessing data protection policies and policy implementation.
- Establish a process to notify GDPR authorities and data subjects if data is breached or exposed.
- If possible, all companies proactively uphold GDPR standards if they intend to expand their mobility programs abroad.
The GDPR website offers a comprehensive checklist for compliance and suggested procedures if you seek additional recommendations. Partnering with global mobility specialists is also a great way to ensure your program practices the best data safety and security methods.
How does Ineo approach data safety and compliance?
At Ineo, we acknowledge our responsibility for your global mobility program’s data safety and security and continuously seek opportunities to provide services and tools to protect your organization and employees best. We ensure the confidentiality and integrity of our clients’ data above all else.
We regularly conduct penetration tests, vulnerability scans, and rigorous audits on our physically secured data centers. Biometrics access safeguard our data centers, so only select employees can enter our data storage facilities. All data stored on our secure servers is encrypted during transmission and “rest,” including data backups. Ineo’s data centers are geographically dispersed across multiple locations to guarantee the safety and recovery of your information.
At Ineo, our industry experts are highly knowledgeable about treating data carefully. We construct our data security and storage methods around the security model known as the CIA security triad – confidentiality, integrity, and availability. “Confidentiality” means limited access to your information, “integrity” guarantees that your information is reliable and accurate, and “availability” assures sole access to your information by authorized employees only.
Trustworthiness is at the heart of our global mobility software solutions
Globally mobile companies commit to their employees to protect their personal and confidential data. This obligation includes partnering with global mobility solution providers like Ineo, who understand the importance of data privacy and safety in their software and services.
Learn how Ineo can help your mobility program secure your employees’ valuable personal data and guarantee GDPR compliance.