GDPR: Your risks as a DSP
.jpg)
Data protection is becoming more and more of a hot topic in all industries, but especially in the global mobility sector. In the process of moving people for work, the collection of sensitive personal data is unavoidable. Data protection laws around the world vary widely, but this is about to change.
The Changing Landscape of Data Protection
The European Union (EU) currently has the strictest laws, with the Data Protection Directive (DPD) outlining rules to be followed in all member states. However, on 25th May 2018, the General Data Protection Regulation (GDPR) will come into effect in full force. This new set of laws are a further-reaching, stricter and more consistent set of requirements around data protection for the region, and eliminate many of the problems found with the DPD.
Although breaching the DPD carries the chance for financial sanctions, the GDPR is increasing the value of these fines significantly. The new regulation allows governments to demand penalties of up to €20M, or 4% of the offending company’s yearly global income, whichever is higher. It is also possible for individuals to face jail time when the authorities think it appropriate.
GDPR and Relocations
If you’re not currently working with EU countries, do you still need to worry about the GDPR? The answer is yes. The scope of these new regulations is vast, and those who do business with companies based in the EU, EU citizens, people moving from the EU, or people moving to the EU need to take notice. As such, countries across the globe are integrating parts of the GDPR into their own laws to ensure regulatory compatibility.
What does this all mean for those in the global mobility industry? Gone are the days of sharing client information between DSPs, RMC and intermediaries without having to worry. By expanding the definition of personal data, jurisdictional reach, and penalties for violations, the GDPR makes data security and accountability essential for all involved. Even accidentally keeping client data on mobile devices would be considered a breach in the case of an audit.
Understanding the Risks
One of the critical areas to be studied when it comes to GDPR is private data accountability within your organisation. It is now essential to keep accurate records of data transfer and processing, privacy and security policies, and data protection impact assessments. Some or all of these can be requested in the case of an audit and will need to be accurate accounts of business to avoid penalties. Therefore, it is essential to re-evaluate the current technology and workflows within your company to find points of weakness, including potential data-breach hotspots.
Some of the worst but simplest mistakes to make when it comes to data security can occur during everyday tasks. When sharing customer data are you only sharing what is truly necessary, or are you providing superfluous information? Do you have personal data scattered across different computers? Do you keep accurate records of data handling and ownership? Do you have the freely given and informed consent of the assignee to share the data? These are all areas where significant breaches of the GDPR can occur, resulting in dire consequences for you and your company.
Protection for You and Your Clients
Although software solutions cannot solve all of the potential pitfalls around GDPR compliance, they can work a long way towards it. Many of the current technology offerings for small and medium businesses are built with GDPR in mind and provide genuine accountability and safe storage of data without having to worry about keeping track of files and emails containing personal data. For our relocation industry, you will need to look for a solution offering a reliable and consistent platform between DSPs, RMCs, intermediaries and assignees, ensuring that only the necessary data is shared at any time. Using such a system also tracks the movement of data between colleagues and partner businesses, creating the data trail essential for any audit.
In the new world of global business, it is crucial that mobility companies, both large and small, protect themselves and their clients. This means following the appropriate steps towards data security and GDPR compliance, but also documenting these steps accurately. Taking this action will not only satisfy the European law but will also shield smaller businesses such as DSPs from legal disputes with RMCs and countries with more litigious cultures.
Examples of GDPR Non-Compliance
· Example 1:
An HR in the United States is working with a service provider in Germany, but the American company does not utilize an integrated software solution. Instead, they use generic programs such and Excel and Outlook for communication and data transfer. This method of working can easily cause a breach, as excess data could be included in the spreadsheet forwarded to the service provider. There is also a lack of private data accountability, due to there being no accurate record of the extra data’s movement, a potentially severe failure in the event of an audit.
Financial risk – Up to €20 million, or 4% of the company’s global annual turnover.
· Example 2:
A global mobility professional working on a case moving a client from the United Kingdom to Korea is extremely busy and decides to review the case on their commute. Instead of logging in to the company relocation management system on their mobile device, they email the case file to themselves. This constitutes a breach of GDPR, as the assignee’s personal data has now been transferred outside of the secure system, to a private mobile device.
Financial risk – Up to €10 million, or 2% of the company’s global annual turnover.
· Example 3:
An intermediary is working on the relocation of an Italian citizen from China to Singapore. In the process of organizing health cover for the client, the intermediary accidentally sends the details to the wrong service provider. This constitutes a breach of special data under the GDRP, as it is health data that has been released to the wrong party. Although the relocation is not directly involving any EU country, the assignee is an EU citizen and is therefore afforded the same protection.
Financial risk – Up to €20 million, or 4% of the company’s global annual turnover.
This article was written by ReloTalent for EuRA. If you would like to continue the discussion on the issues surrounding GDPR and data protection, please log in into our LinkedIn EuRA GDPR Peer Sharing Group.
For more information Sebastien Deschamps - ReloTalent seb@relotalent.com