Many countries have introduced digital privacy laws that affect how businesses handle personal data. Here’s what payroll professionals need to know.
In the past decade, there has been a wave of data privacy laws introduced around the world. These rules are primarily intended to give individuals more control over their data but they also have implications for multinational companies.
Data privacy is a high-stakes issue that payroll and HR must stay on top of, as they handle sensitive personal data of employees. The legislation landscape is continuously changing, so working with a global payroll provider can ease some of the worry in staying compliant.
Payroll and HR need to work closely with their in-house legal and IT teams to ensure compliance in all countries in which the company operates. Companies of a certain size or who work with a lot of personal data from customers might have a Data Privacy Officer who leads on this, but smaller organisations might make data privacy governance a team effort.
But remote and flexible work remain important to employees. Studies have shown that workers are more productive and happier when they have flexibility in their work location. And other studies have shown that international hiring helps make workforces more resilient and diverse. For payroll and HR leaders at midsize companies, there’s an opportunity to advocate for a hybrid, global hiring strategy to make your company more competitive, agile and attractive to top talent. It may sound ambitious, but with the right global payroll partner, it’s never been easier to activate a truly global workforce driven by flexibility.
Terms you should know
- Anonymization: Stripping data of any personal identifiable information.
- Cross-border data transfer: The transfer of personal information from one jurisdiction to another.
- Data minimisation: The principle guiding businesses to only collect personal information that is relevant and necessary for the purpose of the collection.
- Data privacy: The concept that one's personal data is included with a person’s right to privacy.
- Data Privacy Officer (DPO): An individual within an organization who is responsible for compliance with data protection laws and regulations.
- Incident Response Plan (IRP): A tactical document that explains how the company should react to a data breach and is regularly updated. Some privacy laws mandate disclosure of data breaches within a set period.
- Personal information: Sometimes abbreviated as PII (personally identifiable information). In the EU, personal information is any data that directly or indirectly identifies a specific person, such as names, addresses, ID numbers, photographs and IP addresses.
- Record of Processing Activities (ROPA): An organisation’s formal documentation of the processing activities it carries out.
- Sensitive personal data: This includes health-related data, racial or ethnic origin, political views, sexual preferences and religious beliefs, as well as biometric and genetic data.
- Standard Contractual Clauses (SCCs): Pre-approved, standardized clauses that facilitate lawful data transfers outside of a country.
- Subject access requests (SARs): Individuals’ requests to access, change or delete their personal information, sometimes referred to as data subject access request/rights (DSAR).
- Transfer Impact Assessment (TIA): A risk assessment undertaken by an organisation that is exporting data to third country. If personal data will not be adequately protected in that country, supplementary measures may need to be implemented.
Data privacy laws around the world
Here is a rundown of data privacy regulations you should be aware of in some of the biggest markets in the world:
Australia
Australia’s Privacy Act (APA) of 1988 contains 13 Australian Privacy Principles (APPs) regarding the collection of personal data and companies’ responsibilities in managing that data. The APA applies to businesses with an annual turnover of more than $3 million as well as public sector companies. Organisations must ensure data is collected for lawful purposes, stored securely, and only shared under permitted conditions. The Office of the Australian Information Commissioner (OAIC) enforces the APA and can issue fines of up to A$50 million (£24 million) for serious breaches.
Brazil
Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD), which went into effect in 2020, follows the EU GDPR’s principle of “data protection by design and default.” LGPD also requires any companies that process personal information to have a data protection officer, no matter the company’s size. All companies in Brazil are required to submit employee labour, tax, social security and payroll information to the government via the eSocial platform, including data on the race and ethnicity of employees. Violating the LGPD can leave a company liable to fines of up to 2% of a company’s revenue in Brazil, up to 50 million reais (£6.7 million) per infraction.
Canada
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) applies to all private-sector organisations and federally regulated businesses. Personal information in question includes data about employees. PIPEDA requires organisations to obtain consent for data collection, limit use to stated purposes, and implement safeguards to protect personal information. There are also provincial privacy laws in Alberta, British Columbia and Quebec. Violations of PIPEDA can lead to fines of up to C$100,000 per offence.
China
The Cybersecurity Law (CSL) came into effect in 2017 and established the foundational rules for data localisation, requiring that personal information for many companies be stored within China. The Personal Information Protection Law (PIPL) of 2021, often compared to EU’s GDPR, imposed strict obligations on both domestic and foreign companies handling Chinese citizens’ data. Businesses employing more than 200 people must appoint a personal information protection officer akin to the EU’s data protection officer. Businesses who violate the laws can face fines of as much as 50 million yuan (about £5 million) or up to 5% of annual turnover.
European Union
The EU General Data Protection Regulation (GDPR), which came into effect in 2018, harmonised data privacy laws across the 28 EU member countries. GDPR applies to any organization that processes the personal data of people in the EU, even if the company is not physically present in the EU. A company must notify the authorities within 72 hours of a data breach. If a company violates the GDPR, EU data protection authorities can issue fines of up to €20 million or 4% of global revenue, whichever is higher.
Japan
Japan’s Act on the Protection of Personal Information (APPI), enacted in 2003 and amended in 2017 and 2022, applies to all organisations handling the personal information of individuals in Japan. APPI requires businesses to obtain consent where necessary, ensure data accuracy, and implement security measures. Data subjects have rights to access, correct, and request the cessation of use of their personal data. Cross-border data transfers are permitted only if the receiving country has adequate data protection. Japan’s Personal Information Protection Commission oversees enforcement and can enact fines of up to 100 million yen (£511,000).<
Indonesia
Indonesia’s Personal Data Protection Law (PDPL), modeled on the EU’s GDPR, came into effect in 2024. PDPL applies to companies anywhere in the world that operate in Indonesia, have an effect on Indonesia, or process any personal information for Indonesians, even if they live outside the country. Violations can trigger a fine of up to 2% of the company’s annual revenue.
South Africa
The Protection of Personal Information Act (POPIA), enacted in 2013 and fully enforced from 2021, defines the lawful processing of personal information by public and private bodies. It applies to any organisation that processes personal data within South Africa. POPIA requires that data be collected for specific, lawful purposes, with appropriate security safeguards and respect for data subject rights such as access, correction and objection to processing. Companies are required to appoint and register an Information Officer with the Information Regulator and must submit annual reports under the Promotion of Access to Information Act (PAIA). The Information Regulator enforces both POPIA and PAIA, with powers to conduct investigations and impose fines of up to 10 million rand (£420,000) for non-compliance.
South Korea
South Korea’s Personal Information Protection Act (PIPA) applies to all public and private sector entities that collect and process personal information. The law requires organisations to obtain consent before collecting personal data, notify individuals of the purpose of collection, and limit use to that purpose. Data subjects have rights to access, correct, and delete their information. Organisations must also implement technical and administrative safeguards and report data breaches. Cross-border transfers are restricted and may require the individual’s consent. The Personal Information Protection Commission enforces the law and may impose fines of up to 3% of annual turnover for violations.
United Kingdom
Data privacy in the UK is governed by the UK GDPR and the Data Protection Act of 2018, which set strict rules for how personal data must be collected, processed, stored and shared. The UK requires companies to document compliance efforts and, in many cases, appoint a data protection officer. For employers, data about employees must be stored and processed securely in line with GDPR. The Information Commissioner’s Office (ICO) has the authority to investigate and enforce penalties of up to £17.5 million or 4% of global annual turnover, whichever is higher.
United States
The California Consumer Privacy Act (CCPA), similar in spirit to the EU’s GDPR, was the first to come into effect in 2020, followed by the California Privacy Rights Act (CPRA) in 2023. Since then, 18 more states have approved data privacy laws. In California, businesses must provide privacy notices, respond to data subject requests, and implement reasonable security measures. While employee data was initially exempt, the law now applies to HR and payroll data as well. U.S. data privacy laws vary widely by state.
In conclusion
More data privacy regulation is in the works meaning a data privacy officer’s work is never done. India’s Digital Personal Data Protection Act (DPDP), passed in 2023 but not yet implemented, will apply to any organisation, foreign or domestic, that processes the personal data of any individuals within India. The United Kingdom is considering some changes to its data protection laws, and more than 10 more U.S. states are working on their own data privacy laws as well.
Multinational companies should conduct regular audits to ensure compliance with local tax laws, regulations and payroll reporting. When implementing a global payroll system, special attention should be paid to data flows and reporting and retention requirements. Working with a global payroll provider that constantly tracks legislation is a great help in maintaining compliance.
Payroll points to consider
- Expansion to a new territory should include an audit of local data privacy regulations, both current and proposed.
- What is considered a reportable data breach event will vary by jurisdiction, as will the timelines and potential fines. Before there is a data leak or cyberattack, coordinate with IT, legal and HR to create a gameplan.
- If your organisation is exploring adding AI to business processes, make sure that those partners are compliant with the data privacy laws where you operate.
- Working with a global payroll provider eases the stress of remaining compliant with multiple data privacy laws. We at activpayroll track legislative developments closely in all 150+ countries in which we operate.