Ransomware, phishing, malware, botnet, viruses, spyware, worms... and the list goes on. You don’t have to be an IT specialist to understand that, in our digital world, these data security threats are very real.
As personal data becomes an increasingly vital asset to businesses today, discussions of data privacy and security have graduated from the server room to the boardroom. And while the volume (and value) of data processed by companies grows, so do the risks associated with that data.
At the same time, the General Data Protection Regulation (GDPR) requires compliance for any individual within the European Union (EU). This regulation requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. Non-compliance could cost your company dearly.
What can you do to ensure you stay ahead of these challenges?
As your mobile employees travel the world, they expect that you and your service providers are keeping their personal information secure. Companies have a responsibility to their employees to protect their personal and confidential data. Part of this responsibility includes working with trusted partners and vendors who put data privacy and security at the forefront of their operations.
Below are four processes you should ensure are in place in your own company, as well as for each of your partners and vendors.
The policy should:
- Be easily accessible to the public
- Be made available for review by the individuals whose personal data is being processed
- Advise individuals what categories of personal data is being processed, the purposes for which the data is being processed, the categories of third parties to whom the data will be made available, and how they can contact the organization with any questions or concerns about such processing
- Obtain an annual System and Organization Controls (SOC) 2 Type 2 audit from an independent third party auditor.
This audit examines the controls at a service organization that are relevant to availability, integrity, confidentiality, and privacy. Both the audit and the corresponding report follow the rigorous criteria set forth by the American Institute of Certified Public Accountants. A SOC report allows organizations to provide an independent (and industry standard) assertion that the controls and processes it has implemented are sound.
- Engage a trusted privacy and data security advisor that can provide expert guidance and structure for an organization’s data protection program.
Regulations around the globe evolve quickly and are becoming more and more stringent. For example, the new GDPR privacy law regulates companies conducting business in the EU. With the guidance of a reputable third party, an organization will learn how such laws apply to their business and particular circumstances. An advisor can also help implement the concept of “privacy by design” which suggests that privacy and security matters should be considered at the outset of any new data-intensive business initiative.
GTN’s privacy and security advisor, Matt Joseph of VeraSafe.com, says, “In the face of a rapidly changing regulatory climate, we encourage our clients to set a high bar—a very high bar—for their own data protection programs. By taking this approach, our clients position themselves well above the high water mark of regulatory fluctuations, thereby avoiding the need to reassess their data protection programs at the onset of each new privacy law. Also, this approach positions our clients as the privacy leaders in their respective industries, which lends a significant commercial advantage.”
- Appoint a Data Privacy and Security Officer or Data Protection Officer (DPO). This individual will have the responsibility of overseeing an organization’s data protection program, and help ensure compliance with applicable privacy laws.
It is important to identify a single member within an organization who is ultimately responsible for the protection of the data and organizational processes. Doing so will help ensure the chain of command is clearly defined, and the responsibility for data protection isn’t confused between various employees. Applicable privacy laws may require the appointment of a DPO who maintains a sense of independence from the organization so the DPO will be able to independently exercise his or her expertise and judgment, without a conflict of interest. As an added benefit, the DPO will be able to communicate, both internally and externally, that data privacy and security is a true priority for the organization.
In today’s connected world, having a robust data protection program in place is critical. In addition to the processes noted above, we encourage you to follow best practices such as providing all employees with regular privacy and security training and having a response plan in place in case you become the next cyber-crime victim.
Are you confident that your global mobility tax services provider is securing and protecting the personal and confidential information of your company and your mobile employees? Click below for a simple questionnaire that can be used to evaluate your current vendor’s data privacy and security programs.
We encourage you to forward this article to your Data Privacy and Security Officer for further review, and invite you to utilize the questions included in the GTN Data Security Questionnaire to understand each of your current providers’ commitment to data privacy and security.
If you have any further questions regarding the information presented here, or about GTN’s data privacy and security program, please contact me at firstname.lastname@example.org or +1.763.252.0650, or visit our Mobility Tax Services page to see what assistance we can provide.
The information provided above is for general guidance only and should not be utilized in lieu of obtaining professional tax and/or legal advice.