If your company grants equity awards to a multi-national employee base, you are likely paying close attention to the challenges brought on by mobility and jurisdictional tax regulations. But are you paying attention to data privacy requirements?
Data privacy laws are showing up in more and more countries. When it comes to obtaining employee consent to use their data for plan participation, complying with regional laws has become a serious challenge for plan sponsors. And all these complexities can quickly multiply depending on what countries are involved.
As discussed in a recent presentation on this topic given by Sheila Frierson, senior vice president of Computershare Plan Managers, June Anne Burke of Baker McKenzie and Kimberly Hackman of Amazon at a Global Equity Organization conference, there are a few notable things you should be considering when facing these challenges:
- Data privacy – what exactly are you protecting? Also known as personally identifiable information (PII), personal data is generally anything that could potentially identify a specific individual including, but not limited to, name, social security number and demographic information.
- Do you understand the data privacy laws in the relevant countries?Countries in the European Union and European Economic Area have a history of enacting strict data privacy legislation. New regulations for the EU are expected to come into effect in 2017 that will increase the power of the data protection authorities, an individual’s rights to privacy and the compliance burden in general. It is also important to know that countries within the EU have the freedom to implement additional requirements.
- Are you aware of ways you can achieve compliance? Obtaining consent in grant materials or through an offer letter at the time of hire are examples of how you can obtain the necessary consent.
- What is considered “consent”? As a general rule, the consent should list the personal data that will be collected, stored, used and transferred. It should also describe the purpose for the collection, storage, use and transfer of the employee’s data. You should make sure it identifies any third parties that may receive the data and what they plan to use it for. Employees should also have the ability to view, correct and update their data