July 21st, 2022 | Sterling

Navigating International Compliance

Complexity of International Compliance for employer

With three in four businesses reporting skills shortages, and a record 1.3 million job vacancies in the UK, it’s clear that the ongoing war for talent is a major challenge for many organisations. It’s no surprise that businesses are reflecting on their current hiring programs and, in many instances, searching further afield for candidates. However, recruiting internationally comes with added compliance complexity, whether HR teams are part of established global enterprises or those now considering extending their programs to meet current hiring demand. Within each region are specific legal obligations which must all be adhered to, such as the General Data Protection Regulation (GDPR) within Europe.

On a recent global webinar, Sterling’s international compliance experts provided the latest regulatory updates and guidance, which you can watch on-demand here. Keeping up with the ever-evolving pace of international, national, and local changes can be intimidating, but it’s critically important that employers understand the legal requirements in every country they operate. With this in mind, let’s touch on some of the key discussion points from the webinar.

General Data Protection Regulation (GDPR) Developments

While there have not been any significant legislation changes in relation to the GDPR, a notable development occurred in recent months whereby the first GDPR fine was handed out due to the unlawful processing of criminal conviction data. In February 2022, a major global retailer was fined €2M for processing the criminal convictions of its delivery drivers in Spain. We previously documented this case in detail where we also highlighted a number of helpful resources such as our GDPR checklist.  

In comparison, in the UK there are many legal bases for employers to process employees’ criminal convictions. For example, employers may seek to help prevent or detect unlawful acts, help protect the public against dishonesty, and to help prevent fraud. However, many other European countries have taken Spain’s lead and proceeded similarly, meaning that a criminal record check must be mandated in law before it can be undertaken. Additionally, in certain countries, the onus is placed firmly on the employer to determine whether this check can be conducted. For example, in Germany, employers must determine if personal integrity is indispensable to the specific role before they can then conduct the criminal record check.

It’s important to note that in European countries, a works council can hold significant power, similar to that of trade unions – the latter of which reported the global retailer mentioned above. Therefore, when designing a global screening programme, it’s essential for organisations to address any existing cultural expectations in addition to what’s legally permitted. A trusted screening partner can work with you to identify and determine which checks are required for each of your job roles.

The Essentials of a Data Processing Agreement

A data processing agreement (DPA) can be a standalone document or can be integrated within a contract. DPAs may also be specific to a certain jurisdiction or role. In Europe, the GDPR sets out what is required of a DPA, and organisations can adopt models based upon European guidance or standard contractual clauses (SCCs). Note that this doesn’t necessarily mean they’ll meet the requirements of the US or other non-EU locations. For global businesses, when drafting a DPA, it’s important that you consider all the requirements of every jurisdiction involved, making sure that the core functions establish details such as:

  • Instructions and limitations for processing personal data
  • Responsibility for compliance with the law
  • Who carries out specific compliance activities, and how (e.g. notice to customers, responses to customers)
  • Which party determines the why and how, and the lawful basis – connected to which party is the controller
  • Types of personal data and data subjects
  • Subject matter, duration, nature, purpose of processing
  • Data retention, return, and deletion
  • Cross-border transfers
  • Whether sub-processors are permitted
  • Commits the processor to participate in Data Protection Impact Assessments (DPIAs)
  • Sets out data breach response activities and timelines
  • Liability for data breach costs and data subject compensation claims
  • Appropriate security measures
  • Right of audit and inspection
  • Commitment to confidentiality

Ensuring Safe and Secure Data Transfers

Data transfers are an inevitable element of global commerce, and as such, Sterling goes to great lengths to ensure that data transfers are safe and effective. This starts with robust information security and privacy policies which help to ensure that any risks arising from cross-border transfers are minimised. While data transfers have become increasingly more complex in nature, particularly within the EU and the UK, a trusted global screening partner like Sterling should be well-equipped to support employers with the necessary documentation (e.g. SCCs, transfer impact assessments). It is also vital organisations ensure that the provider has met all the required protocols and meets all best-practice standards required by the business.

How Does Sterling Help Employers with Global Compliance?

Sterling has a wealth of resources to help clients understand the different compliance considerations in each country. These include our “Country Fact” sheets, which communicate compliance guidance in specific countries and what services are available. From Sterling’s service offerings to the sources and the scope of these searches, our fact sheets go into detail including the data requirements for each check.

In addition to the fact sheets, Sterling also provides employers with the latest trends, guidance, and best practice considerations covering relevant topics such as Brexit, Digital Identity and GDPR via our checklist If you’d like to watch the on-demand global compliance webinar, you can access the recording here.

This publication is for informational purposes only and nothing contained in it should be construed as legal advice. We expressly disclaim any warranty or responsibility for damages arising out this information. We encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.