top of page

Data Security for Global Mobility: 5 Key Points

Updated: Jun 26, 2019

Everyone in the global mobility industry understands the importance of data privacy and security when it comes to personal information. With the worldwide reach of strong data protection laws such as the European Union’s General Data Protection Regulation (GDPR) now evident, it’s more important than ever to get your data protection efforts in order.

Whether the personal data in question comes from a client or assignee, it’s essential that you have a plan in place for its processing and security. Let’s take a look at some of the key points to think about.

1. Who’s in control?

First of all, it’s always good to know who is in control when it comes to the data in question. The GDPR defines the ‘data controller’ as the business that first comes into contact with the personal data, and they are ultimately responsible for its handling and sharing. This means that if you get your assignee information from an HR or RMC client, they are the data controller and you are a data processor. If you receive the data directly from the employee themselves, then you are the data controller.

Remember that being a data processor doesn’t abdicate you from the responsibility of handling that personal data with care and diligence. You don’t, however, need to get consent from the individual, as this should have already been completed by the data controller. Some data processors do choose to get their own consent to be safe, also demonstrating that they take data privacy seriously.

2. Organise your access

Controlling access to the personal data in your organisation’s possession is essential, as it is likely that not everyone in the business will require the information in question. Whatever technology you employ for relocation management, role-based access is an ideal way to control assignee data access in your company. Once team members have been assigned a ‘role’ the viewing, editing, sharing, deleting permissions can be set individually. This way, it’s simple to keep track of who can do what, and people only have access to the information they need.

3. What happened today?

‘What happened today’ is one of the most deceptively tricky questions in global mobility, especially for those handling many relocations at a time. What if I asked you what happened on this day last year? These questions exemplify the need for accurate tracking of data processing actions within mobility organisations. If you don’t have a management system that does this for you already, think about implementing your own internal system; although it may be time-consuming, you could be saving yourself from severe issues in the future.

4. A date with deletion

One of the most common topics of question we get asked during our complementary GDPR Onboarding sessions is that of data deletion. It is unsurprising, though, as it is one of the most open to interpretation parts of modern personal data laws. As a business, it is, of course, essential to keep accurate records of the work you’ve completed, so it is always recommended that logs of your relocation activities are preserved, although purged of personal data.

Most businesses set themselves a limit of 30 days to delete personal data within, after the completion of a contract. In global mobility, however, the question of whether a contract is completed can be blurry. If you’ve handled in the inbound relocation and are expecting to manage the outbound in two years, has your contact ended? Should you delete the data, knowing you’ll need it again? We always advise that unless you are 100 per cent sure you’ll be continuing the contract after a set period, delete the relevant personal data.

5. Time for training

It’s great to have a compliant and reliable assignment management platform and workflows, but does your whole team fully understand their roles and responsibilities when it comes to data protection? Online training can be useful, but in-person, in-house training is always going to be better, as your team will engage with the matters at hand more directly. Look at the options for data protection and GDPR training in your area, and consider getting someone in to lead a session with your teams so everyone can get a good appreciation for important points and what’s at stake.



bottom of page