GTN Global Mobility Tax Blog - News and Notes

Data Privacy Challenges for Global Mobility Programs

Written by Craig Dexheimer | October 17, 2024

Ransomware, phishing, hacking, malware, botnet, viruses, spyware, worms... the list goes on. You don’t have to be an IT specialist to understand that in today’s digital world, such data security threats are very real. As personal data has become a vital asset to businesses, discussions of data privacy and security have graduated from the server room to the boardroom. And while both the volume and value of data processed by companies grows, so do the risks associated with that data.

One of the most globally well-known and established security parameters, the European Union (EU) General Data Protection Regulation (GDPR), requires businesses to protect the personal data and privacy of individuals within the EU as well as data processed for transactions that occur within EU member states. Non-compliance can lead to substantial financial fines and/or penalties, not to mention significant damage to a company’s reputation.

What can you do to ensure you stay ahead of these challenges?

As your mobile employees travel the world, they expect that you and your service providers are keeping their personal information secure. Companies have a responsibility to their employees to protect their personal and confidential data, and part of this responsibility includes working with trusted partners and vendors who put data privacy and security at the forefront of their operations.

Below are five data privacy processes we consider essential for your company, as well as for each of your partners and vendors.

1. Create and maintain accurate records of your data processing activities.

Sometimes referred to as a data map, your data processing activities must be reviewed regularly, particularly whenever your processing activities change, or new systems/applications are rolled out. At a minimum, we suggest reviewing your data processing activities on an annual basis. A record of processing activities serves as an inventory of your processing operations. It is a foundational compliance record and needs to include the information that must be set out in your privacy policy, as outlined below. 

2. Establish and maintain an up-to-date privacy policy.

Also known as a privacy notice, a privacy policy must be supported by senior leadership and reviewed, at a minimum, bi-annually.

The policy needs to:

  • Be easily accessible to the public
  • Be made available for review by the individuals whose personal data is being processed
  • Advise individuals on:
    • What categories of personal data are being processed
    • The purposes for the data being processed
    • The categories of third parties to whom the data will be made available
    • How their data is safeguarded
    • How they can exercise their privacy rights
    • How they can contact the organization with any questions or concerns about such processing

Given the complexity of privacy and cybersecurity law, developing a complete and accurate privacy policy may require assistance from an independent third-party advisor.

3. Obtain an annual System and Organization Controls (SOC) 2 Type 2 audit from an independent third-party auditor.

This audit examines the controls at a service organization that are relevant to availability, integrity, confidentiality, and privacy. Both the audit and the corresponding report follow the rigorous criteria set forth by the American Institute of Certified Public Accountants. A SOC report allows organizations to provide an independent (and industry standard) assertion that the controls and processes it has implemented are sound. A SOC 2 Type 2 report carries significant weight over lower-level SOC reports due to the increased audit requirements, disclosures, and attestations performed during the process.

4. Engage a trusted privacy and data security advisor.

A reliable data privacy and security consultant can provide expert guidance and structure for an organization’s data protection strategy.

Globally, data privacy and security regulations continue to evolve quickly and are becoming more and more stringent. For example, the GDPR regulates companies that are established in the EU or who offer goods or services to individuals in the EU. Moreover, within the US, various new state laws impose requirements to ensure the privacy of individuals residing in those states.

With the guidance of a reputable third-party, an organization will learn how such laws apply to their business and circumstances, as well as how to achieve compliance with various laws. An advisor can also help you implement the concept of “privacy by design and privacy by default” within your organization, which suggests that privacy and security matters need to be considered at the outset of any new data-intensive business initiative.

GTN’s data privacy and security advisor, Danie Strachan of VeraSafe, says, “In a constantly evolving regulatory climate, we encourage our clients to adopt a very high standard for their own data protection programs by applying the strictest compliance requirements across all their business operations and locations. By taking this approach, our clients position themselves well above the high-water mark of constant regulatory fluctuations, thereby avoiding the need to reassess their data protection programs at the onset of each new privacy law. This approach has the added benefit of positioning our clients as privacy leaders in their respective industries, which lends a significant commercial advantage.”

5. Appoint a Data Privacy and Security Officer or Data Protection Officer (DPO).

This individual will have the responsibility of overseeing an organization’s data protection program and help ensure compliance with applicable privacy laws.

It is important to identify a single member within an organization who is ultimately responsible for the protection of the data and organizational processes. Doing so will help ensure the chain of command is clearly defined, and the responsibility for data protection isn’t confused between various employees. The DPO needs to communicate, both internally and externally, that data privacy and security is a true priority for the organization.

Some privacy laws require the appointment of a DPO depending on the nature of an organization’s processing operations (e.g., if there is large scale monitoring of individuals or processing of sensitive personal information). The DPO must maintain their knowledge and expertise with data protection laws as well as have the ability to maintain a sense of independence from the organization. This way, the DPO will be able to independently exercise their expertise and judgment, without a conflict of interest.

In today’s highly connected world, having a robust data protection program in place is critical to ensure proactive rather than reactive compliance. In addition to the processes noted above, we encourage you to follow best practices such as providing all employees with regular privacy and security training and having a response plan in place in case you become the next cyber-crime victim.

Are you confident that your global mobility tax services provider is securing and protecting the personal and confidential information of your company and your mobile employees? Use our simple questionnaire to evaluate your current vendor’s data privacy and security programs. 

We encourage you to forward this article to your DPO and also invite you to utilize the questions included in the GTN Data Security Questionnaire to understand each of your current providers’ commitment to data privacy and security. Others have found the questionnaire very enlightening, and we believe you will as well.

If you need guidance or advice with your data privacy and security program, please visit https://verasafe.com or contact VeraSafe at info@verasafe.com to set-up an initial no cost consultation.