Schedule a Call

Handling Data Privacy and Security Challenges for Your Global Mobility Program


Data Privacy and Security

Ransomware, phishing, hacking, malware, botnet, viruses, spyware, worms... the list goes on. You don’t have to be an IT specialist to understand that, in our digital world, such data security threats are very real. As personal data has become an increasingly vital asset to businesses, discussions of data privacy and security have graduated from the server room to the boardroom. While both the volume and value of data processed by companies grows, so do the risks associated with that data.

One of the most globally well-known and established security parameters, the European Union (EU) General Data Protection Regulation (GDPR), requires businesses to protect the personal data and privacy of individuals within the EU as well as data processed for transactions that occur within EU member states. Non-compliance can lead to substantial financial fines and/or penalties, not to mention significant damage to a company’s reputation.

What can you do to ensure you stay ahead of these challenges?

As your mobile employees travel the world, they expect that you and your service providers are keeping their personal information secure. Companies have a responsibility to their employees to protect their personal and confidential data, and part of this responsibility includes working with trusted partners and vendors who put data privacy and security at the forefront of their operations.

Below are five processes that we consider essential for your company, as well as for each of your partners and vendors.

1. Create and maintain accurate records of your data processing activities.

Sometimes referred to as a data map, your data processing activities must be reviewed regularly, particularly whenever your processing activities change, or new systems/applications are rolled out. A record of processing activities serves as an inventory of your processing operations. It is a foundational compliance record and needs to include the information that must be set out in your privacy policy, as outlined below. 

2. Establish and maintain an up-to-date privacy policy.

Also known as a privacy notice, a privacy policy should be supported by senior leadership and reviewed, at a minimum, bi-annually.

The policy needs to:

  • Be easily accessible to the public
  • Be made available for review by the individuals whose personal data is being processed
  • Advise individuals what categories of personal data is being processed, the purposes for which the data is being processed, the categories of third parties to whom the data will be made available, how their data is being safeguarded, how they can exercise their privacy rights, and how they can contact the organization with any questions or concerns about such processing

Given the complexity of privacy and cybersecurity law, developing a complete and accurate privacy policy may require assistance from an independent third-party advisor.

3. Obtain an annual System and Organization Controls (SOC) 2 Type 2 audit from an independent third-party auditor.

This audit examines the controls at a service organization that are relevant to availability, integrity, confidentiality, and privacy. Both the audit and the corresponding report follow the rigorous criteria set forth by the American Institute of Certified Public Accountants. A SOC report allows organizations to provide an independent (and industry standard) assertion that the controls and processes it has implemented are sound. A SOC 2 Type 2 report carries significant weight over lower-level SOC reports due to the increased audit requirements, disclosures, and attestations performed during the process.

4. Engage a trusted privacy and data security advisor.

One who can provide expert guidance and structure for an organization’s data protection program.

Globally, data privacy and security regulations continue to evolve quickly and are becoming more and more stringent. For example, the GDPR regulates companies conducting business in the EU, and within the US, various new state laws impose requirements to ensure the privacy of individuals residing in those states. With the guidance of a reputable third-party, an organization will learn how such laws apply to their business and circumstances, as well as how to achieve compliance with various laws at once. An advisor can also help implement the concept of “privacy by design” which suggests that privacy and security matters should be considered at the outset of any new data-intensive business initiative.

GTN’s privacy and security advisor, Zia Maharaj of, says, “In a constantly evolving regulatory climate, we encourage our clients to adopt a very high standard for their own data protection programs by applying the strictest compliance requirements across all their business operations and locations. By taking this approach, our clients position themselves well above the high-water mark of constant regulatory fluctuations, thereby avoiding the need to reassess their data protection programs at the onset of each new privacy law. This approach has the added benefit of positioning our clients as privacy leaders in their respective industries, which lends a significant commercial advantage.”

5. Appoint a Data Privacy and Security Officer or Data Protection Officer (DPO).

This individual will have the responsibility of overseeing an organization’s data protection program and help ensure compliance with applicable privacy laws.

It is important to identify a single member within an organization who is ultimately responsible for the protection of the data and organizational processes. Doing so will help ensure the chain of command is clearly defined, and the responsibility for data protection isn’t confused between various employees. As an added benefit, the DPO will be able to communicate, both internally and externally, that data privacy and security is a true priority for the organization.

Some privacy laws require the appointment of a DPO depending on the nature of an organization’s processing operations (e.g., if there is large scale monitoring of individuals or processing of sensitive personal information). The DPO must maintain their knowledge and expertise with data protection laws and also have the ability to maintain a sense of independence from the organization. This way, the DPO will be able to independently exercise his or her expertise and judgment, without a conflict of interest . 

In today’s highly connected world, having a robust data protection program in place is critical to ensure proactive rather than reactive compliance. In addition to the processes noted above, we encourage you to follow best practices such as providing all employees with regular privacy and security training and having a response plan in place in case you become the next cyber-crime victim.

Are you confident that your global mobility tax services provider is securing and protecting the personal and confidential information of your company and your mobile employees? Use our simple questionnaire to evaluate your current vendor’s data privacy and security programs. 


We encourage you to forward this article to your Data Privacy and Security Officer and also invite you to utilize the questions included in the GTN Data Security Questionnaire to understand each of your current providers’ commitment to data privacy and security. Others have found the questionnaire very enlightening, and we believe you will as well.

If you need guidance or advice with your data privacy and security program, please visit or contact VeraSafe at to set-up an initial no cost consultation.

Mobility tax specialists

Author: Craig Dexheimer

Craig began his career with GTN in 2012 and currently serves as COO / Data Privacy & Security Officer. Craig leads the firm’s Managing Directors, Operations, Finance, Technology, and Data Privacy functions. His charismatic attitude and enthusiastic style creates an environment that is focused on clear goals and built on trust, accountability, and a healthy dose of FUN. +1.763.252.0650 |
Find me on: