As data privacy and security threats become more and more prominent in today’s world, is your organization staying ahead of the challenges those threats bring? As your mobile employees travel the globe, are you confident their personal data is secure? It is likely that you work with several vendors that help you facilitate a smooth mobility program. Do all of those vendors comply with the necessary regulations to keep your company’s and mobile employees’ information safe?

These are just a few of the questions you need to think about and address—the answers could directly, and potentially negatively, impact your mobile workforce. So, what can you do to ensure you stay ahead of the challenges and headaches? Below, we identify four data privacy and security measures you should ensure are in place for not only your company, but for each of the vendors you work with.

Establish and maintain a privacy policy

Your privacy policy should be supported by senior leadership and should be reviewed, at a minimum, bi-annually.

The policy should:

  • Be easily accessible to the public
  • Be made available for review by the individuals whose personal data is being processed
  • Advise individuals what categories of personal data are being processed, the purposes for which the data is being processed, the categories of third parties to whom the data will be made available, and how they can contact the organization with any questions or concerns about such processing

Given the complexity of privacy and cyber security law, developing a complete and accurate privacy policy may require assistance from an independent third-party advisor.

Obtain an annual System and Organization Controls (SOC) 2 Type 2 audit

This audit must be performed by an independent third-party auditor. The auditor will examine the controls at a service organization that may include security, availability, processing integrity, confidentiality, and privacy. Both the audit and the corresponding report follow the rigorous criteria set forth by the American Institute of Certified Public Accountants. A SOC report allows organizations to provide an independent (and industry standard) assertion that the controls and processes it has implemented are sound. 

Engage a trusted privacy and data security advisor

An advisor can provide expert guidance and structure for an organization’s data protection program. Regulations around the world evolve quickly and are becoming more and more stringent. For example, data protection authorities in the European Union (EU) are ramping up enforcement of the General Data Protection Regulation (GDPR), which came into effect in 2018. The GDPR, which regulates the personal data processing activities of companies conducting business in the EU, has set a new standard for privacy laws around the world, resulting in a flurry of new laws, regulations, and frameworks in a variety of countries. In the US, the California Consumer Protection Act came into effect January 1, 2020, and a number of other states are currently in various stages of passing similar legislation in the near future.

With the guidance of a reputable third party, an organization will learn how such laws apply to their business and circumstances. An advisor can also help implement the concept of “privacy by design” which suggests that privacy and security matters should be considered at the outset of any new data-intensive business initiative.

“In 2020, privacy is a global issue, and regulating the use of personal data will continue to be a legislative priority for governments around the world, particularly as new technologies come into play” says GTN’s privacy and security advisor, Matt Joseph of VeraSafe. “Compliance with such a variety of new laws can be overwhelming for any business, and we encourage our clients to implement strong, universal privacy programs within their organizations that identify the regulatory high-water mark and apply it globally, reducing the compliance burden when new laws arise. In this way, compliance costs are controlled, and our clients can confidently take advantage of their new standing as forward-thinking leaders in privacy.”

Appoint a Data Privacy and Security Officer or Data Protection Officer (DPO)

This individual will have the responsibility of overseeing an organization’s data protection program and help ensure compliance with applicable privacy laws.

It is important to identify a single member within an organization who is ultimately responsible for the protection of the data and organizational processes. Doing so will help ensure the chain of command is clearly defined, and the responsibility for data protection isn’t confused between various employees. Applicable privacy laws may require the appointment of a DPO who maintains a sense of independence from the organization so the DPO will be able to independently exercise his or her expertise and judgment, without a conflict of interest. As an added benefit, the DPO will be able to communicate, both internally and externally, that data privacy and security is a true priority for the organization.

In today’s connected world, having a robust data protection program in place is critical. In addition to the processes noted above, we encourage you to follow best practices such as providing all employees with regular privacy and security training and having a response plan in place in case you become the next cybercrime victim.

Are you confident that your global mobility tax services provider is securing and protecting the personal and confidential information of your company and your mobile employees? Download our questionnaire to evaluate and understand your current vendors’ commitment to data privacy and security.

Download questionnaire

If you have any further questions regarding the information presented here, or about GTN’s data privacy and security program, please contact me at cdexheimer@gtn.com or +1.763.252.0650, or visit our mobility tax services page to see what assistance we can provide.

Download article

The information provided in this article is for general guidance only and should not be utilized in lieu of obtaining professional tax and/or legal advice.

Subscribe to the GTN Blog

Author: Craig Dexheimer, COO / Data Privacy & Security Officer

Craig DexheimerCraig began his career with GTN in 2012 and currently serves as COO / Data Privacy & Security Officer. Craig leads the firm’s Managing Directors, Operations, Finance, Technology, and Human Resources functions. His charismatic attitude and enthusiastic style create an environment that is focused on clear goals and built on trust, accountability, and a healthy dose of FUN. cdexheimer@gtn.com | +1.763.252.0650