As a global relocation services company that manages a specific and directed scope of essential, personally identifiable information necessary for a customer’s move across the country or around the world, Dwellworks takes data privacy very seriously. We have an experienced legal and compliance team that serves not only as counsel and risk-management leaders for our company but for the entire mobility industry when it comes to best practices and evolving standards.
Our legal team is headed up by our VP of Corporate Counsel, Walter Dannemiller III, who also serves as vice chair of Worldwide ERC’s global compliance policy forum. The following blog on data privacy and business ethics contains excerpts from his latest write-up for Worldwide ERC’s blog, titled “Data Privacy and Ethics in Global Mobility.” Walter also provided a summary of these factors at WERC’s Global Workforce Symposium on October 19, where he spoke on a panel session titled “Public Policy Insights: Maintaining Compliance in an Evolving Technology Landscape.”
Read the following excerpts from Walter pulled from the WERC blog and edited for length:
Understanding the implications of data privacy on relocation services is critical for mobility professionals. Businesses must negotiate these problems while maintaining data stewardship, openness, and compliance while protecting individuals’ rights.
“As data privacy regulations continue to evolve, organizations in the global mobility sector must adapt to ensure that they handle sensitive data appropriately during the relocation process,” says Walter N. Dannemiller III, vice president of legal at Dwellworks and vice chair of Worldwide ERC®’s global compliance policy forum.
To begin, what is sensitive data? This term encompasses any data that not only pinpoints someone’s identity but also enables the tracking of their activities. However, this notion goes beyond the standard elements of personally identifiable information (PII). It branches out to embrace intimate aspects like political leanings, religious associations, past criminal records, sexual preferences, and health particulars. In this context, regulatory attention becomes more concentrated on the area of biometrics. Common examples include data like facial features and voice patterns. However, in this domain, more nuanced methods like pixel tracking and facial monitoring subtly collect biometric data.
“Data protection regulators across the globe have ramped up investigations and enforcement actions against organizations that do not comply with the higher standards of handling and safeguarding sensitive information of their consumers,” Dannemiller says. “Organizations involved in global mobility must navigate these new regulations while understanding that acceptable practice in one jurisdiction may not necessarily transfer to another.”
Furthermore, customers are becoming more conscious of their data rights, underlining the importance of openness and control. This puts firms under pressure to follow legal and societal standards in data collecting, handling, transfer, and storage.
“With a comprehensive data management framework in place, organizations can then turn their focus to the collection, processing, transfer, storage, and deletion methods of the data,” Dannemiller says.
The initial steps in building a good data management program are data categorization and cataloging. This comprises identifying required data kinds, comprehending internal data usage, assessing external data sharing, and determining storage locations, a process known as data mapping. Organizations must also navigate the regulatory landscape by identifying relevant data protection requirements, which frequently necessitate the assistance of a data protection officer or legal counsel.
Privacy should be a key component of a company’s design strategy, requiring methodical integration into systems and processes as well as a thorough awareness of data collecting and privacy legislation. Transparent privacy policies, minimum data collecting for particular goals, secure data processing, prompt data deletion, and rapid answers to data access and deletion requests are all components of effective data management.
“Proper data handling is a team sport,” Dannemiller says, “so organizations must educate their employees and supply chain about the importance of data privacy and security and provide them with the tools needed to succeed.”
Any complete data management program must include an Incident Response Plan (IRP). Data breaches, whether deliberate or unintentional, are likely, making a well-defined IRP essential. It should outline the methods for reducing violations and allocate responsibilities.
“It is not a matter of if, but when an organization will suffer a data breach, regardless of whether the cause is nefarious or innocent,” Dannemiller says. “It is imperative that organizations have a customized and well-defined IRP that outlines the sequential steps of mitigation and the parties responsible for executing each step.”
Improving understanding of sensitive data is changing how the global mobility sector manages personal information during the relocation process. Organizations can successfully manage these developments by implementing privacy-focused strategies, adhering to rules, and establishing robust data protection measures. This not only builds trust among transferees and clients, but it also ensures the quality and dependability of their services.
Navigating data privacy can be challenging. In maneuvering this complex path, questions emerge: Who should possess access to this valuable information? Can its insights be disclosed to employers? And in the larger context of data retention, how enduring should these digital traces continue to reverberate?
In the world of data, the principle of minimization takes on crucial importance. Regulatory guidance points toward a clear directive: gather only what’s necessary and keep it for as long as needed. Found in New York’s Digital Fairness Act , a strong message resounds—a message that requires data keepers to prioritize user well-being over the interests of service providers and data keepers. The considerations of necessity, the measurement of how long data should be kept, and the array of beneficiary interests all form the heart of this story about responsible data stewardship.
Entering the realm of privacy laws, the European Union’s General Data Protection Regulation (GDPR) takes a step forward on its evolutionary path. The baton of regulation passes to the EU-US Data Privacy Framework , replacing the Privacy Shield , aimed at smoothing certified data transfers across continents.
Turning our attention toward the East, China’s Personal Information Protection Law assumes a prominent role—a requirement that resonates across assessment reports, standard agreements, and government submissions concerning data transfers. An interesting scenario emerges as corporate clients assume the position of data processors, a role supported by foreign partners.
In the United States, a significant advancement occurs as comprehensive data privacy laws are implemented in 10 new states starting from July 2023. When it comes to protecting sensitive data, the responsibility falls heavily on businesses. Companies operating in the mobility sector ought to adopt minimalist approaches to data management and, while ensuring complete transparency, create strategies that align with regulatory standards and safeguard individual rights.
So, how can mobility organizations collect and store data safely and ethically?
People are always looking for methods to make things easier and more convenient. This is especially true in global mobility, where advances let families move between nations more smoothly. However, we must keep in mind that these advantages are not always without drawbacks, particularly when it comes to complying with privacy rules and using data ethically.
“Organizations must carefully consider whether the benefits of processing this data outweigh the potential risks and whether they align with the ethical values of their clients, employees, and stakeholders,” Dannemiller says.
Global mobility organizations may aim to provide biometric logins, customized settings, and targeted marketing for a smooth user experience, but they face hurdles. Rushing decisions to fulfill customer expectations can sometimes result in insufficient risk assessments, risking data privacy and ethical norms.
Furthermore, global mobility enterprises should prepare for new data privacy standards, as those for advanced data and sensitive information are not necessarily the same as those for general data. Following basic data privacy rules may not be sufficient for sensitive data.
“Organizations in this sector must be proactive in addressing these challenges to ensure they maintain compliance with regulations, uphold ethical data usage practices, and protect the privacy of individuals during the relocation process,” Dannemiller says.
Advanced data collection methods provide valuable insights and opportunities for the global mobility industry, but they also raise serious privacy, security, consent, and ethics concerns. To remain compliant with legislation, maintain ethical data practices, and preserve individual privacy throughout relocations, global mobility organizations must take proactive steps to address these data privacy issues.