What is GDPR?
Enacted in 2016 – the General Data Protection Regulation (GDPR) is an European Union law that creates stricter laws around the collection, use and distribution of personal data relating to European citizens and residents.
For global mobility, GDPR affects essentially everything we do, including the distribution and processing of personal expat data not only within the European borders, but also for any partner sending EU citizen expats and residents to a third-party country. It is important for global mobility professionals to be keenly aware of their company’s data protection policies and discuss with their vendors how this will affect business.
We walk you through an example of what GDPR means for global mobility here:
At midnight, May 25th, 2018 companies are expected to be fully compliant with the regulations or face hefty fines of up to 20 million euros or 4 percent of Global Revenue (whichever is greater).
Who is affected by GDPR?
GDPR covers personal information of any EU citizen, including the UK, Norway, Lichtenstein and Iceland. It also extends to any EU resident even if they are not a citizen of an EU member country.
Any company that controls and/or processes personal data of an EU Citizen or resident is required to comply with the GDPR law. This includes countries and companies outside of Europe who handle and deal with personal information of EU citizens and residents.
Global mobility is directly affected due to the nature of the business and data required to complete global relocations. The need to communicate with company GDPR specialists and contracted vendors to ensure compliance is of vital importance.
Will this also involve the UK post “Brexit?"
Yes. The UK parliament has passed new Data Protection Legislation that implements most of the GDPR in UK law. Regardless of the final outcome of Brexit, GDPR will still be a requirement for UK companies and those controlling and processing UK citizen and resident data.
Who handles personal data?
Controller: The person, company or entity that decides what personal data is to be collected and how it will be used.
Processor: The person, company or entity that interacts and uses the personal data under direction of the controller.
Both: A person, company or entity can be a controller for some personal data and a processor for other data.
It is best to consult a GDPR specialist or your legal team to determine your company’s compliance obligations.
What is considered personal data?
Personal data under GDPR is a broad term defined as any piece of information that can be used to identify a person directly or indirectly. The more obvious identifiers are email addresses, phone numbers and ID numbers. However, GDPR also encompasses the indirect identifiers like location information, IP addresses, biometric data and more.
Information like an expat’s name, business or personal email address and phone numbers are all considered personal data. It even extends to the use of web portals and IP location identifiers.
What is “sensitive” personal data?
GDPR defines certain information such as race or ethnic origin, political opinions, religious affiliation, trade-union memberships, sexual orientation, genetic data, etc. as sensitive information. There are additional regulations concerning the handling of this sensitive information.
Sensitive information also includes all information regarding children under the age of 16. Any destination services provider or relocation professional working with families needs to be aware of these GDPR regulations.
It is advisable to consult your GDPR company expert or legal team to insure compliance.
Can people have their personal data deleted?
There are several ways that the GDPR expands citizens rights to privacy. One of these rights is the “Right to be Forgotten” or “Right to Erasure.” Put simply, it provides the individual the right to have their personal data deleted and removed from further collection.
So wait – I need certain personal data in order to move an expat? How will this work?
Under GDPR, explicit consent must be given for a controller to procure and process personal data. Processors therefore need to have written contracts and consent from controllers to work with the data. There are certain justifications for the processing of personal data and certain rights are given once a formal contract is signed between processor and controller. It is best to consult with your legal counsel or GDPR specialist to determine your justification and consent requirements.
Where do I begin?
GDPR specialists and consulting firms begin with these key questions:
1. What personal data do you have on current, past and future expats? Is it categorized as sensitive or related to a child?
2. Where is your data stored? Do you pass it on to a third party relocation company or vendor? Do you have contracts in place to create the official controller/processor relationship?
3. How is the data being processed?
4. Where is data stored before deletion?
Part of compliance is making sure everyone knows what is coming, and when and how it affects them. Internal education to all levels of employees to understand the company requirements of GDPR is recommended.
For more information about how GDPR will affect your global mobility program, contact Lexicon Relocation’s Director of Global Client Services Helio DeAndrade at +1 904-394-3762.
Want to learn more about global mobility? We've got you covered. Read our blog now!