data privacy compliance: why & how
TRANSCRIPT
Data Privacy Compliance. Why? How?
Julian Cunningham-Day, Linklaters
Pekka Hukkanen, Outotec
Mike Pewton, Solium GSP
Nancy Price, Linklaters
Agenda
• Why is data privacy relevant for incentives? • What does data privacy law protect? • Who is subject to the law? • What does it mean in practice for your plan? • A company’s experience - Outotec • How to be compliant – globally
Why is data privacy relevant for incentives?
• Over 100 countries now have data privacy laws • Wide ranging – not just for incentives • Publicity and penalties • Consider in context of employment relationship • Involvement of third parties • Global: more countries = more complexity • Practical compliance - can’t you just get
consent?
Why do we have data protection laws? 1950: European Conven-on on Human Rights (Ar-cle 8, Right to Privacy)
1981: Conven-on for the Protec-on of Individuals with regard to Automa-c Processing of Personal Data
1995: EU Direc-ve on the protec-on of individuals with regard to the processing of personal data and on the free movement of such data
2002: EU Direc-ve on the processing of personal data and the protec-on of privacy in the electronic communica-ons sector
2012: Proposed new Regula-on to reform the EU data protec-on regime
What does the law protect?
“Personal data processed by a data controller” • Data relating to a living individual who can be identified from the data • Examples:
Ø register of share plan participants Ø details of ex-employees and consultants Ø contact details of employees, bank account details
• Separate category of sensitive personal data Ø Health, racial/ethnic origin, religion
Who is subject to the law? Ø data controller determines “how” and “why”
personal data is processed Ø data processor processes personal data on
behalf of a data controller under a written contract
Grantor Administrator Broker Regulator
Principle based regulation ....
1. Fair and lawful processing 2. Processing for specified purposes only 3. Adequate, relevant and not excessive 4. Accurate and up to date 5. Kept no longer than necessary 6. Rights of the data subject 7. Appropriate security 8. International transfers of personal data
Key Principles
The following are key for incentive plans: Ø Fair and lawful processing Ø Rights of individuals Ø Data security/Data processors Ø Trans-border dataflow Ø Regulatory notifications
Key principles
Transparency
• What data • Who has access? • Where? • Why?
Fair and lawful
• Propor-onate? • Consent? • Legi-mate interests?
Staff rights • Access • Objec-on • To be forgoSen
Spotlight on data exports Issue: International Transfers of data. Additional restrictions apply when data is exported
Routes for International
Data Transfers
Consent Contractual Necessity
The Model Contracts
A Custom Contract
An Approved Destination
U.S. Safe Harbor
Binding Corporate
Rules
Presumption of Adequacy
How is the law enforced?
Naming and
shaming
Public opinion
Audit/ Fines
Cease and Desist
Private Claims
International harmonisation? EU - Minimum harmonisation • Directive based, so many similarities between Member States…
Ø …but national variations exist in different implementation, interpretation and enforcement
• Proposals to reform European data protection laws shortly Ø Introduction of a single EU-wide data protection law via a Regulation Ø Stringent obligations including mandatory appointment of data
protection officers Ø Increased emphasis on accountability and “privacy by design” Ø Extra-territorial effect Ø Mandatory breach notification Ø Fines of up to 5% of annual worldwide turnover
International harmonisation?
• Rest of the world Ø Now over 100 jurisdictions with developed privacy
regimes Ø Many based on European model Ø Australia – new set of 13 Australian Privacy Principles Ø Singapore – new Personal Data Protection Act Ø Russia – expected new data localisation law (requires
the personal data of Russian citizens to be stored in databases in Russia)
Practical issues for incentive plans
• How do these issues affect a company operating a global plan at various stages Ø Pre-invitation Ø Initial invitation Ø Making awards Ø On vesting of awards Ø Selling shares
Pre-invitation
• Ensure 3rd party agreements in place • Review legal compliance • Obtain data permits • Make data protections filings/notifications
Initial invitation
• Obtain consent for mailing Ø Third party mailing Ø Direct mailing
• Ensure 3rd party agreements respected • Review data requests • Review consent procedure and ensure
early consent
Making awards
• Follow established procedure • Record the required information only • Ensure testing and adequacy of record
keepers Ø Internally Ø Externally
Vesting/exercise of awards
• Review vesting exercise data flow • Clean records
Re-invitation
• Can you rely on previous Data Protections Ø Follow same procedure Ø Do not “flip” information Ø Review drop outs and amend data accordingly
• Outotec provides leading technologies and services for the sustainable use of Earth’s natural resources
• As the global leader in minerals and metals processing technology, we have developed many breakthrough technologies over the decades for our customers in metals and mining industry
• We also provide innovative solutions for industrial water treatment, the utilization of alternative energy sources and the chemical industry
• Outotec shares are listed on NASDAQ OMX Helsinki
Outotec in brief The 3rd most sustainable company
Experts of over 60
na@onali@es
R&D, sales and service
centers in 27
countries
Deliveries to more than
80 countries
Net sales 1.4bn
EUR in 2014
Objectives for ESSP • Share the success that employees build together • Support Outotec values & create One Outotec culture • Achieve a participation rate > 20%
Russia 70
Australia 400
Brazil 450
Canada 230
Chile 390
Germany 550 Netherlands 10
Finland 1,500 Sweden 250 Norway 10
South-‐Africa 200
India 100
UK 5
USA 150
Mexico 35
Zambia 20
Peru 80
Ghana 5 UAE 2
China 130
Kazakhstan 20
Indonesia 2
The Plan: O’Share • Offer: buy 2 shares, get 1 free • 1st year promotion: buy 1, get
1 free • Target group: All employees –
Participation voluntary • Earning potential: same for
everyone • Link to top management LTI:
LTI conditional on O’Share participation
Extensive marke-ng campaign & branding
Face-‐to-‐face employee events
Transla-ons into 6 languages
Web-‐based communica-on
Challenges Over 20 different countries & cultures
Data Privacy issues
Issues
• First saving period 2013: – Easy to administer vs. legally bulletproof? – Risk of reducing take up if too complex?
• Next saving periods 2014 onwards: – Who to handle existing and new participants?
Process • We chose active data consent option:
– Consent from all employees allowing Outotec to transfer data to administrator
• Invitation to sign-up was sent only to those who gave consent – 2014 onwards consent ask again from
everybody excluding participants • Further acceptance on portal for data
consent
• Over 1,500 participants in almost 20 countries around the world
• Take-up >33%
China 18%
Australia 30 %
Brazil 12 %
Canada 22%
Chile 9%
Germany 25 % Netherlands 55%
Finland 52% Sweden 55 % Norway 63%
South-‐Africa 30 %
India 30 %
UK 80%
USA 23 %
Mexico 79 %
Global take-up 34% • Over 1,500 par-cipants in nearly 20 countries
• 2014 take-‐up 33% and 2015 27% -‐ in challenging business situa-on
Peru 25%
Zambia 33%
UAE 100%
Tips for global compliance
ü Country due diligence review ü Undertake regulatory notifications and check they remain
accurate and valid ü Give employees information on processing activities ü Obtain employees’ consent ü Have a compliant contract with the administrator ü Ensure all data transfers are compliant ü Check data is accurate and deleted if no longer needed ü Only process sensitive personal data for justified purposes
Thank You Julian Cunningham-Day
Linklaters [email protected]
Mike Pewton Solium GSP
Pekka Hukkanen Outotec
Nancy Price
Linklaters [email protected]