GDPR significantly affects every aspect of global mobility & for any company involved in relocating EU citizens, or non-EU citizens into and around the EU. GDPR impacts the actions and decisions of global mobility and relocation specialists and the rights of the individuals and their families being relocated. Because personal data is so highly processed in both national and global relocations, GDPR has the potential to completely revolutionize the global relocation industry.
Since GDPR is focused on the personal data of individuals, let’s first discuss what is considered “personal data“. For Global Mobility specialists, virtually all information used to obtain visas and other immigration related documents falls within the GDPR definition of personal data. Some other pertinent examples include things such as an individual’s name, business and personal phone numbers, email addresses, health information, family information, and identification numbers. Less obvious, however, are what are called “indirect identifiers” and include things such as IP addresses, location information, and bio-metric data.
With the evidently personal nature of the data needed to assist an employee and their significant others when relocating, it is especially important for companies to maintain GDPR compliance with service providers and all of their service providers’ local agents when they process those relocations.
Maintaining GDPR compliance for relocations will require oversight in several areas:
1. Consent
Because of the inherent difference of power found in many employment relationships, consent under GDPR is not the primary basis by which a employer can process an individual’s data. In addition to a written contract, it will also be necessary in a given instance, for the employer or processor to first consider the legitimate business reasons and purposes for collecting or sharing an individual’s data before doing so, and that the minimum amount of data be released to only those needing that data to achieve the intended purpose.
GDPR requires “Privacy by Default” which entails ensuring that only required data is collected and that by default the amount of data is limited, the extent of processing and accessibility to that data is limited, and the period of storage is defined and limited, too. Technical and organizational controls are required.
That being said, a written privacy contract between all parties and transparency around the services that are helping the employee relocate are still necessary. If existing contracts are in place, they should be renewed with the updated guidelines to reflect these criteria.
Actionable Steps:
Implement clear processes for providing transparency for what data you are gathering, storing, who is accessing that data, the legitimate business reason for doing so, and for how long. For family members, you’ll need to obtain clear and transparent (explicit) consent and make it very easy for individuals to withdraw consent.
2. Right To Erasure or The Right To Be Forgotten
In creating a contract it is important to advise an individual of their rights under GDPR . There are specifically 8 “rights” that data subjects have. As far as global mobility and relocation are concerned, the “Right to Erasure” or “The Right to be Forgotten”, is particularly interesting in that individuals may have the right to have some or all of their personal data erased by the relocation firm and all of the agents they work with after their relocation project is completed. They are asking not only that the company erase some or all of their information, but also that any downstream data processing companies also erase their information. Remember that there may be country- or state-specific regulations that do not allow for complete erasure, so be sure to keep them in mind if you are asked to completely erase employee data.
Actionable Steps:
Implement clear and transparent processes for individuals to exercise their “right to be forgotten”, clarify what data you are required to keep, and have their personal data removed from your systems when appropriate.
3. Right To Access & Right To Data Portability
Two other rights under GDPR that are important for Global Mobility are the “Right to Access,” and “The Right to Data Portability.”
Under “Right to Access”, the Data Subject has several rights related to the access of their personal information which include receiving information regarding:
1) The reasons/purposes for the processing of their personal data
2) The categories of data concerned
3) The recipients or categories of recipients of their personal data, especially when those recipients are from third countries and/or international organizations
4) The expected time period for the data to be stored, or at a minimum, the criteria for determining that time period
5) In cases where the data subject’s personal data is not received from the data subject themselves, the source of such information
Under “Right to Access” the Data Subject also has the right to request confirmation that they have the right to lodge a complaint, and the right to request confirmation that they have the rights to erasure of their data, rectification of their data, restriction of data processing, and objection to data processing.
The “Right to Data Portability” states that the data subject has the right to request from the data controller their own personal information (data) and that the controller would be responsible for supplying this information to the data subject in a form that is “structured, commonly used and machine-readable”. This may not always apply to all aspects of employee data and it’s important for you to talk to your legal advisor for further clarification.
Right to Access & Right to Data Portability have obvious implications for global mobility specialists. For example, if an employee relocated to another country and then wanted to start a new career with a different employer, they would have the right under GDPR to have access to their personal data (Right of Access) and may also have the right to either transfer that data themselves, or where technically feasible, have the right to have their old employer transfer their personal data to their new employer directly. (Right of Data Portability)
Actionable Steps:
Implement clear and transparent processes for individuals to exercise their “right to access” their personal data and have that data be portable if legally required.
4. Sensitive Data
In regards to “sensitive data” or data that involves information such as the personal data of family members, or in the case of children under the age of 16 (Article #8), “explicit consent” must be given by the individual for an employer or third party relocation service provider to obtain and process that particular information. This “explicit consent” of being able to process sensitive information would be clearly important for global mobility and relocation specialists to incorporate into their relocation contracts when relocating families.
Actionable Steps:
In contracts involving the use of sensitive data, include “explicit consent” clauses that explicitly ask the data subject to give consent for the processing of sensitive data for both themselves and their family members. Make sure that the use of this information is absolutely necessary for legitimate business interests.
5. Privacy by Design
Companies setting up their GDPR compliance will most likely not be doing so in reaction to a given data compliance or data security event, but rather will follow the regulation by weaving their compliance into the fabric of their policies and processes. This is called “Privacy By Design.” Creating “Privacy by Design” requires technical and organizational controls for implementing data security, access governance, and data minimization. Although this may take some more work, review, and training up front, these efforts will definitely ensure smooth sailing later on. If the company is already abiding by modern data protection policies, then it will likely only need to slightly upgrade and tweak those policies to accommodate GDPR’s new requirements.
Actionable Steps:
Dedicate a budget to GDPR compliance and hire a full or part-time Data Protection Officer (DPO). Perform an audit of your existing processes regarding the use of personal data, and assess whether or not they are in alignment with data privacy and security compliance measures. If they are not, work to implement new systems that ensure data is processed compliantly naturally and “by design,” rather than in reaction to a given data privacy event.
6. Territorial Scope
In regard to global mobility specifically, the GDPR provisions apply to not only organizations located within the EU but also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. For individuals, it protects the data of anyone, including foreign nationals, living and working in the EU (Article #3). Given the reality of a global economy, this basically means that GDPR will impact companies and individuals the world over. Because GDPR has defined both “data processor” and “data controller” as being liable under the regulation, both in-house mobility teams (controllers), and third-party providers (processors) must comply with GDPR.
Actionable Steps:
Rather than reviewing individual employees to see who is covered by GDPR and who isn’t, create and implement data privacy processes that will achieve compliance for all of your employee data (Privacy by Design).
Make sure that not only the primary data controllers and processors are GDPR compliant, but also that down stream processors and agents are also compliant and have the correct and minimum amount of data necessary to fulfill their roles.
When hiring third-party business travel visa and immigration service providers, companies should be careful to ensure that their provider is GDPR-compliant, as liability is shared by both the company and the provider for any violations.
7. Training Employees
Finally, although a company’s policies and processes may reflect GDPR compliance perfectly, it is perhaps equally important that the company’s employees are not only educated as to their rights as per the written and signed contract, but also that they are trained and motivated to maintain GDPR compliance themselves. In the case of global mobility specialists, this training is especially important insofar as they are the main processors of employee data for national and global relocations.
Actionable Steps:
Train all employees on the new policies and their roles in GDPR compliance.
Increase employee awareness by developing a communications & training plan & make sure that information is escalated to relevant employees or directors
In Conclusion
When processing immigration cases for EU residents, global mobility companies definitely must comply with the “consent”, “right to be forgotten”, “right to access”, “right to data portability”, “sensitive data”, and “Privacy by Design” provisions of GDPR, as well as understanding the territorial scope and training their employees to be GDPR compliant.
Overall Recommendation
With these provisions in mind, it is recommended that a company appoint a data protection officer (DPO) to oversee and conduct the companies data privacy operations. With a DPO in place, the company can then perform an audit of its existing processes regarding how data is processed during relocations. Then, based on these findings, it is further recommended, that the company begin to reformulate those processes to be GDPR compliant “by design”, to update and renew its existing processor/controller/individual contracts so that they adhere to the new GDPR provisions, and finally to educate their employees about how they can maintain GDPR compliance on an internal level.
Along the way, it is always important under GDPR that a company documents all of its efforts at GDPR compliance and establishes processes for documenting continual compliance with GDPR requirements moving forward.
To begin to prepare such a report, watch for our upcoming post: ‘Relocation Audit Checklist’.
Keywords Used:
Personal Data – any information relating to an identified or identifiable natural person (‘data subject’)
Data Subject – any person who can be identified by reference to a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person
Do you need help managing the process and compliance reporting for your employees? Are your relocation service providers GDPR-compliant and can they track all of their local agents?
At Globig, we provide a platform that makes it easy for your company, your service providers, and your employees to be GDPR compliant “By Design”. Learn more.
As a disclaimer, this information is not intended to provide professional legal advice, nor is it our recommendation that you use it as the sole basis for making organizational decisions, especially in relation to the GDPR. Instead, it is our highest level recommendation that you use it for informative purposes and in preparation for working with legal counsel, or other data protection expert before finalizing any decision that will affect the future of your business or organization.