There has been a lot of talk the past year about data protection with breaches happening a more alarming rate than ever. Once your company passes one data hurdle, there seems to be another on the horizon.
The Mobility industry has particular reason to be attentive to the issue of personal data security, as we are entrusted with handling the personal data of tens of thousands of globally mobile employees, including their banking information, EID numbers and the like, across a multitude of platforms and service providers. Related to this, most companies are now aware of a regulation within Equtip known as “GDPR” which goes into effect in 2018 that will have implications for how we all conduct our business. We sat down with Bristol’s Vice President and Data Protection Officer (DPO), Paul Seymour, to answer some questions about this new regulation.
Paul, thanks for your time today. So, what exactly is GDPR?
The General Data Protection Regulation (or GDPR) (Regulation (EU) 2016/679), is an updated regulation issued by the European Parliament, the Council of the European Union, and the European Commission in order to strengthen and unify data protection for all individuals within the European Union (EU).
You said it was updated, how so?
The original Data Protection Law from 1998 was the UK’s first attempt to protect individual citizens’ private information from being used against their will, specifically in the new and growing area of the internet and E-commerce. It was a pioneering law at the time, but after 20 years, with the fast pace of growth in the internet and E-commerce, the explosion of companies who strategically grown globally during this period, and with the EU’s abandonment of the more recent Safe Harbor principle for EU Privacy Shield standards, it was time for the law to be reviewed and updated.
If it is just a European or EU issue, why do companies outside of the EU have to be concerned with this?
This is a very important question because if you do any international business or hire employees who may be residents of another country, then GDPR is important to you. This is because it not only improves the protection of European data individuals' rights, it clarifies what companies that process personal data must do to safeguard these rights. And, if you do not have these principles in place and you suddenly find yourself hiring an EU citizen or conducting business in the EU, a violation (like non-compliance) can result in large fines up to 4% of your turnover revenue.
So now that you know that GDPR is important, what is it that companies need to know about this new regulation on our horizon?
To answer this question, I’d like to review what we already know and understand about data protection. For example, personal data is defined as any information that could be used to identify someone like names, phone numbers, and email addresses. Sensitive data like information about a person’s race, residency, sexual preference, or marital status, requires even more care and protection when sharing this type of information.
But, corporations have always strived to keep personal and sensitive data confidential and secure, so how does GDPR change what companies can do with this information?
GDPR will still require a company to obtain explicit consent before someone’s personal and sensitive data can be transferred to a sub-processor, for example, but GDPR will also require that using any personal data must comply with the six principles of GDPR.
What are those six principle of GDPR?
GDPR’s new requirements are:
- Fair and lawful - There has to be legitimate grounds for collecting the data and it must not have a negative effect on the person or be used in a way they are not expecting.
For example, under GDPR, a corporate client who wants Bristol to administer relocation or assignment management services has a legitimate reason to share the individual’s data who defined benefits.
- Specific for its purpose - Data should be collected for specified and explicit purposes and not used in a way someone wouldn't expect.
The same corporate client described above is only providing this data to administer specific services. For example, companies do not send a list of all their employees to Bristol, so they can contact or spam those individuals for a variety of services not authorized or requested.
- Adequate and necessary - It must be clear why the data is being collected and what will be done with the data. Unnecessary data or information that has not defined purpose should not be collected.
Again, this is an area where corporate clients are already following the requirement without even knowing it. Trust me, corporate clients only want to provide the data that is required to perform the services authorized. I haven’t found a client that wants to provide more than what is needed.
- Accurate - Reasonable steps must be taken to keep the information up to date and to correct it if it is inaccurate.
This is a new requirement that in my opinion really puts the burden on a third party relocation company like Bristol. We must have a mechanism in place to make sure that we are maintaining the most accurate information on the corporate client’s relocating employee.
- Not kept longer than needed - Data should not be kept for longer than is needed and it must be properly destroyed or deleted when it is no longer used or goes out of date.
Here is another new item that again, I feel, rests on the third party relocation company’s shoulders. Companies like Bristol must regularly review the length of time they retain data on individuals. Data that is out of date or no longer necessary must be properly destroyed or deleted.
- Kept safe and secure - Data should be processed in a way that ensures appropriate security, including protection against unauthorized or unlawful processing, loss, damage or destruction, and kept safe and secure.
Third party relocation providers, who process over 5,000 personal records per year, are publicly traded, or employ over 250 employees, are now required to appoint a Data Protection Officer, or DPO. The DPO is responsible for everything related to keeping personal data secure and cannot be easily replaced. Appointing someone in this position means personal data can be kept safe and secure more easily, with customer and employee rights being respected according to GDPR.
So, what is Bristol Global Mobility doing to ensure that our client’s data is legitimately obtained, limited in its purpose, necessary, accurate, secure, and only kept for the timeframe needed?
- Continuing to request consent from all employees moving abroad - specifically to and from the EU region - at the time of authorization and will add an additional requirement to continue to confirm consent if the individual’s assignment exceed a year.
- Limiting the data collected for the specific and explicit purpose of administering relocation and assignment management services for our corporate clients.
- Only collecting the necessary information needed to conduct the services authorized for that individual.
- Technology solutions like custom authorization templates and specific required fields will be used to manage the data collection processes throughout the individual’s relocation or assignment.
- Requesting the relocating employees to update their personal information at various intervals of the assignment, for example: 6 months, one year, and annually after the first year anniversary, until the data is no longer needed.
- Maintaining relocation and assignment data for 7 years unless our client specifies a different timeframe or the employee explicitly asks to opt-out of the data retention period. Once this data has reached the end of its useful life, the data will be properly destroyed or deleted.
- Ensuring that the appropriate security measures are in place to keep data secure and safe from damage or loss.
How is Bristol managing this change and going to accomplish the goal by the May 2018 deadline?
Bristol has been working with a data privacy and partner, Verasafe, for several years. They originally worked with Bristol to continue our Safe Harbor audit and certification and have recently worked with Bristol to navigate the changes of the EU-Privacy Shield changes and certification process, and, now assisting Bristol through the process of certifying for GDPR.
Do you feel that you will make the deadline?
Yes, of course! Although there are some changes that are introduced with GDPR, the changes here were completed with the European Parliament, the Council of the European Union, and the European Commission to strengthen and unify data protection for all individuals within the European Union (EU), so the changes here are done again to make the regulations consistent with those tenants already proposed by EU-Privacy Shield.
If you had one thing to say to any of Bristol’s corporate clients on this issue, what would it be?
I would tell them not to worry too much about these changes. If you have a strong IT group and an established IT Policy on data protection, then your team is already on their way to successfully jump this latest hurdle.
Thank you Paul!
Bristol encourages our clients to reach out to us with any questions or concerns on GDPR and data security, at firstname.lastname@example.org.