In our previous post, we talked about the importance of protecting what we call personally identifiable information (PII) in the US, especially during overseas operations. In this article, we’ll explore payroll data retention in further detail, going through the larger service regions around the world and looking into their unique regulatory features. From the minute you onboard a new employee, you begin collecting personal data, that in turn, must be protected. PII comes in many forms including identification cards, bank accounts, social security numbers, and several other sensitive pieces of information.
Depending on your jurisdiction, you’ll need to abide by the established requirements, which vary from region-to-region. Below we’ll go into further detail.
In the United Kingdom and EU, employers have strict requirements to protect their employee information, even in the event of a data breach. Parliament passed the EU General Data Protection Regulation (GDPR) in 2016 to replace the Data Protection Directive 95/46/EC. This was a consolidated effort by ruling authorities to simplify data privacy laws across Europe, protect and empower all EU citizens’ data privacy, and improve the way organizations across the region approach data privacy.
There are direct penalties involved for those organizations that do not comply with GDPR, which is why it’s critical to understand at least the basics of this new law. This is also why we highly recommend working with a global payroll provider who can assist with compliance management while paying your international employees. Those organizations in breach of GDPR can be fined up to 4% of annual global turnover, or €20 Million, whichever is greater.
And despite the implementation of Brexit, GDPR is going to affect UK businesses offering any type of service to the EU market, regardless of whether your business stores or processes data on EU soil, and whether the UK stays in the EU or not. In fact, the UK is working on a Data Protection Bill that will replace its Data Protection Act 1998, and will effectively absorb and incorporate the essence of the GDPR into national UK law. Even post-Brexit, businesses will need to comply with the same EU rules for UK citizens.
The Asia-Pacific region has plenty of economic strength, which makes it a popular target area for international expansion. The trouble is keeping track of data regulations. At this point, the region is not fully unified, but there are signs that APAC will reach an agreement that resembles the EU’s GDPR. For more specifics on payroll considerations in each country in APAC, read our article on this topic.
In regards to the protection of PII based on countries in APAC, each, for now, have its own requirements. Japan has a Personal Information Protection Commission as of 2016 to enforce protection. The Philippines started its National Privacy Commission (NPC) in 2016 and implemented comprehensive data privacy laws, which are much more stringent than the previous regulations. Australia recently updated its Privacy act for the first time since 1988. And, China adopted the Cyber Security Law in 2016, which accompanies the National Security Law and Anti-Terrorism Law.
Given the recent focus on privacy protection in the region, it could be likely that we’ll see a collaborative effort sooner rather than later.
Hong Kong has much stricter regulations around protecting PII. In fact, companies can face criminal sanctions if they engage in direct marketing activities without opt-in consent. To protect personal data, the country established the Office of the Privacy Commissioner for Personal Data to protect workers’ information. There are also six established Data Protection Principles (DPP), which include restrictions on the use, access, and collection of personal data. Find out more information about the DPP here.
Latin America, the Caribbean, and South America have enacted comprehensive privacy laws, primarily on an individual level, to enforce regulations around personal data.
“Other than Mexico, Colombia, and Peru, the other country in the region that actively protects privacy rights in Brazil, despite the fact that it does not yet have in place a comprehensive privacy law,” according to Cynthia Rich for Bloomberg.
Given the country-specific requirements for the region, we recommend hiring a partner with expertise in your target country to ensure your company is meeting all of the regulations for protecting your employees’ data during payroll.
South Africa has the most advanced PII protection requirements in the region. From specific types of data covered to the types of breaches and departments to contact, there are very particular resources for businesses to use when finding out information on how to protect their employees’ information when working in the country.
Similar to Latin America, there are different requirements depending on which country you’re operating in. As a result, we recommend working with an expert that can help guide you through the various rules and regulations to help you maintain compliance.
To learn more about how to protect your data when maneuvering payroll, contact a member of our team today. We take the necessary precautions to ensure your team members’ PII is safe and secure, preventing it from falling into volatile hands. We’d love to tell you more about the benefits of working with a secured international payroll provider. Get in touch today!
**This article is for informational purposes only. It is not intended to constitute legal advice.