The clock is ticking: In addition to the 2016 enactment of Privacy Shield, the General Data Protection Regulation goes into effect in the European Union in less than a year.

Organizations doing business in the EU need to act now to ensure they are ready. The General Data Protection Regulation, going into effect in May 2018, is designed to ensure full protection of what it considers “fundamental rights” to privacy; it joins anti-bribery and anti-trust laws as having some of the highest sanctions for noncompliance.

The task of fully complying with the myriad rules and regulations is particularly challenging for companies engaging MSPs that may have hundreds or even thousands of suppliers in their talent supply chains. Privacy laws apply to all parts of the talent supply chain where “personally identifiable information” is stored or processed. Two terms in particular should make MSPs and their clients sit up and take note:

Accountability for onward transfer. The firm must ensure that any entity to which it transfers personal information — vendor, supplier or customer — upholds these same principles on behalf of the firm.

Recourse, enforcement and liability. The firm must agree to be held accountable for any failures to uphold these privacy principles.

It’s a complex web to untangle. Even for smaller firms with just a sliver of business in the EU, it’s worth noting that General Data Protection Regulation penalties for noncompliance can be up to 4% of total global revenue — not just revenue generated in the country where the violated party resides.

In fact, the General Data Protection Regulation completely changes the risk profile for all touchpoints of the talent supply chain. The processing of “personal information” is a necessary component of engaging and managing a workforce, introducing increased risk for MSPs, their clients, and suppliers alike. Companies seeking to procure talent can be classified as “controllers” of personal information and can face revenue-based fines and private claims by individuals whose privacy is violated at any point in the supply chain — even if the violator is a third-party vendor deep within the network. Those suppliers within the supply chain now face increased risks as well: They can no longer claim they are simply processing data for their customer or MSP. In a situation where a $20 billion global company engages an MSP whose supplier violates General Data Protection Regulation regulations, the total penalties involved could amount to billions.

Risks must be managed by exerting judicious control over how work is performed on behalf of an organization, and over all the parties that contribute to that complex network. Just a few of the required capabilities:

  • Notification to individuals of crossborder data transfers, data held and processing performed
  • Deleting personal data that exists across multiple platforms in multiple countries
  • Securing issue-specific consent from all persons reported on, even nonemployees
  • Extensive data purging, encryption and anonymization
  • Implementing and documenting privacy-by-design principles
  • Revising contracts with clients, technology vendors and suppliers
  • Deploying, socializing and enforcing binding corporate rules
  • Establishing new regulatory officers, roles and processes
  • Conducting and documenting formal privacy audits
  • Addressing a surge of customer demands and employee and supplier inquiries

A defensible privacy program is fast becoming a prerequisite to being a viable talent supply chain organization. As our industry increasingly relies on a more global, mobile talent base than ever before, we must be increasingly vigilant that we are in full alignment with the policies designed to protect the privacy of that talent.