GDPR: Your Risks as a Destination Service Provider (DSPs)

Data protection is becoming more and more of a hot topic in all industries, but especially in the global mobility sector. In the process of moving people for work, the collection of sensitive personal data is unavoidable. Data protection laws around the world vary widely, but this is about to change. This first in a new series, this week Global Mobility Insider takes a look at how this shift in legislation may negatively impact destination service providers (DSPs).

The Changing Landscape of Data Protection

The European Union (EU) currently has the strictest laws with the Data Protection Directive (DPD) outlining rules to be followed in all member states. However, on 25th May 2018, the General Data Protection Regulation (GDPR) will come into effect in full force. This new set of laws are a further-reaching, stricter and more consistent set of requirements around data protection for the region and eliminate many of the problems found with the DPD.

Although breaching the DPD carries the chance for financial sanctions, the GDPR is increasing the value of these fines significantly. The new regulation allows government agencies to demand penalties of up to €20M, or 4% of the offending company’s yearly global income, whichever is higher. It is also possible for individuals to face jail time when the authorities think it appropriate.

GDPR and Global Mobility

If you’re not currently working with EU countries, do you still need to worry about the GDPR? The answer is resoundingly yes. The scope of these new regulations is vast, and those who do business with companies based in the EU, EU citizens, people moving from the EU, or people moving to the EU need to take notice. As such, countries across the globe are integrating parts of the GDPR into their own laws to ensure regulatory compatibility.

What does this all mean for those in the global mobility industry? Gone are the days of sharing client information between DSPs, RMC and intermediaries without having to worry. By expanding the definition of personal data, jurisdictional reach, and penalties for violations, the GDPR makes data security and accountability essential for all involved. Even accidentally keeping client data on mobile devices could be considered a breach in the case of an audit.

Understanding the Risks

One of the critical areas to be studied when it comes to GDPR is private data accountability within your organisation. It is now essential to keep accurate records of data transfer and processing, privacy and security policies, and data protection impact assessments. Some or all of these can be requested in the case of an audit and will need to be accurate accounts of business to avoid penalties. Therefore, it is essential to re-evaluate the current technology and workflows within your company to find points of weakness, including potential data-breach hotspots.

Some of the worst but simplest mistakes to make when it comes to data security can occur during everyday tasks. When sharing customer data are you only sharing what is truly necessary, or are you providing superfluous information? Do you have personal data scattered across different computers? Do you keep accurate records of data handling and ownership? Do you have the freely given and informed consent of the assignee to share the data? These are all areas where significant breaches of the GDPR can occur, resulting in dire consequences for you and your company.

Protection for You and Your Clients

Although software solutions cannot solve all of the potential pitfalls around GDPR compliance, they can work a long way towards it. Many of the current technology offerings are built with GDPR in mind and provide genuine accountability and safe storage of data without having to worry about keeping track of files and emails containing personal data. For those in the relocation industry, solutions offering a reliable and consistent platform between DSPs, RMCs, intermediaries and assignees should be sought out, ensuring that only the necessary data is shared at any time. Using such a system also tracks the movement of data between colleagues and partner businesses, creating the data trail essential for any audit.

In the new world of global business, it is crucial that mobility companies, both large and small, protect themselves and their clients. This means following the appropriate steps towards data security and GDPR compliance, but also documenting these steps accurately. Taking this action will not only satisfy the European law but will also shield smaller businesses such as DSPs from legal disputes with RMCs and countries with more litigious cultures.

Examples of GDPR Non-Compliance

Example 1:

An HR in the United States is working with a service provider in Germany, but the American company does not utilize an integrated software solution. Instead, they use generic programs such and Excel and Outlook for communication and data transfer. This method of working can easily cause a breach, as excess data could be included in the spreadsheet forwarded to the service provider. There is also a lack of private data accountability, due to there being no accurate record of the extra data’s movement, a potentially severe failure in the event of an audit.

Financial risk – Up to €20 million, or 4% of the company’s global annual turnover.

Example 2:

A global mobility professional working on a case moving a client from the United Kingdom to South Korea is extremely busy and decides to review the case on their commute. Instead of logging in to the company relocation management system on their mobile device, they email the case file to themselves. This constitutes a breach of GDPR, as the assignee’s personal data has now been transferred outside of the secure system, to a private mobile device.

Financial risk – Up to €10 million, or 2% of the company’s global annual turnover.

Example 3:

An intermediary is working on the relocation of an Italian citizen from China to Singapore. In the process of organizing health cover for the client, the intermediary accidentally sends the details to the wrong service provider. This constitutes a breach of special data under the GDRP, as it is health data that has been released to the wrong party. Although the relocation is not directly involving any EU country, the assignee is an EU citizen and is therefore afforded the same protection.