Beyond GDPR: What Mobility Managers Need to Know About the Future of Data Protection

Beyond GDPR: What Mobility Managers Need to Know About the Future of Data Protection

The General Data Protection Regulation (GDPR) went into effect on May 25, 2018, and ushered in a new era in data protection, with countries around the globe considering and/or implementing their own privacy laws. This Insights explores what mobility managers need to know about the current data protection landscape.

Data privacy is not new: regulations surrounding data protection and personal privacy have been around for more than four decades. But as data usage and digitalization have exploded, governmental focus on protection has increased as well, expanding from personal protection to a broader scope.

The GDPR’s sweeping data privacy regulations, applying to all companies handling the data of EU and EEA citizens, caused a sea of changes in the business practices of companies around the world. Its scope was reinforced by its ability to levy fines for non-compliance. Across Europe, fines can be as much as four percent of a company’s gross annual revenue, and several major companies have already had incurred penalties.

While the GDPR clearly established a new standard for data privacy, it did not set one global standard for compliance. This is resulting in a complex data privacy landscape in which additional countries and regions are developing and implementing their own privacy guidelines. While all of these are based on similar principles of data protection and good governance, they can differ broadly in the specifics and, in many cases, in the penalties for non-compliance. In Brazil, fines can be as much as five percent of a company’s gross annual turnover.

With the increased digitalization of mobility and the expansion of employee populations consuming benefits on multiple platforms, this shifting privacy landscape has direct impacts on mobility managers.

The Evolving Regional Landscape

Below, we mention some of the regions and countries which are seeing some of the most recent changes in terms of data privacy laws.

The Asia-Pacific region has implemented a sweeping set of regulations – the APEC Cross-Border Privacy Rules (CBPR) System. The system is not mandatory, and while several countries have voluntarily signed up, others are still in the process of doing so, which is creating a complex and fragmented environment. Countries who have not currently signed on to the GDPR can have their own stringent requirements. A few examples include:

  • South Korea, with some of the strictest requirements for privacy, including rules on cross-border data sharing and holding senior company executives responsible for breaches.
  • China, with a new cyber security law requiring personal information and key data to be stored locally within the country.
  • India, which is focused on making individual consent the basis of use of personal data, as well as hosting in India.
  • Other countries developing and/or introducing their own privacy laws include Singapore, Vietnam, Indonesia and Malaysia.

Outside Asia Pacific, Brazil is also developing a stringent set of privacy regulations, and the UK  also introduced their own Data Protection Act of 2018 (to the extent the GDPR might not apply in the UK depending on the nature of the Brexit model that is ultimately adopted).

In the U.S., California took the lead as the first state to enact their own regulations – the California Consumer Privacy Act, or CCPA. The CCPA, which focuses exclusively on data protection and privacy of individuals, was enacted in May 2018 and will go into effect in January 2020. The law will give consumers the right to require a business to disclose what kinds of personal information it is collecting and how, why and with who it is sharing that information – as well as giving the consumer the right to say “no” to the sale of their personal information. It also provides penalties for non-compliance which can range anywhere from $100 to $7,500 per violation, depending on the specifics and who is bringing the charge (the individual, or the state.)

It should be noted that open questions remain as to whether the CCPA will apply to the mobility space, as the transferees and assignees from whom data is collected are arguably not “consumers” within the traditional definition of the term; i.e., individuals purchasing a good or service. It is also not clear if the annual$25 million USD gross revenue threshold, which triggers applicability of the CCPA, refers to revenue from a company’s operations as a whole, or from the company’s operations in California only.  It is expected that California regulators may offer interpretive guidance in the near future.

With other states considering their own privacy regulations, the Federal Government is considering an approach that would standardize privacy laws across the United States.

What do mobility managers need to know from their provider?

While privacy laws in development may ultimately pose additional mandates for companies, understanding and adhering to the guidelines set out in the GDPR is essential.

Under those requirements, companies managing the relocation of their employees around the globe are “controllers,” while your third-party provider is a “processor.” As a processor, your provider should:

  • Have a formal privacy policy that governs handling and protection of your and your employees’ data. That privacy policy should be publicly available on their website.
  • Conduct annual training of its workforce and document those efforts.
  • Have flow-down protocols to ensure downstream compliance with data and privacy protections through its own supply chain, an upfront screening or due diligence process for prospective suppliers, along with some type of audit function to monitor existing supplier content.
  • Have relevant clauses in the contracts governing relationship and business practices.

You should also conduct regular audits of your provider to ensure internal compliance. You may also want to ask whether your provider has a Data Protection Officer, an enterprise leadership position for companies that process or store the personal data of EU and EEA citizens; a position which may be required depending on the volume of data at issue. As set forth by law, the Data Protection Officer serves as an independent check and balance with respect to a company’s data practices, with a direct reporting line to the CEO. By embracing the standards of the GDPR, and the role of a Data Protection Officer, a company will establish a strong baseline for meeting the compliance challenges presented by new data protection laws emerging elsewhere around the globe.

What is clear is that the data privacy landscape will continue to evolve in the direction of more stringent regulation, as companies with global or even regional operations will increasingly find themselves subject to multiple sets of laws in varying jurisdictions. This raises the stakes for mobility managers as the talent and mobility field continues to digitize, along with the related expansion of outsourcing the delivery of services through a global network of suppliers. Although this creates the risk of additional liabilities, it also presents an opportunity for organizations to distinguish themselves by implementing a comprehensive baseline approach to data privacy, which can then be tailored to meet the requirements of specific laws on a global basis.