n

CASE STUDY

WilsonHCG deploys GDPR as golden standard for global data protection

WilsonHCG is an award-winning, global leader in total talent solutions. It offers a full suite of configurable solutions including recruitment process outsourcing, executive search, contingent talent and technology advisory. With offices in more than 65 countries, WilsonHCG is subject to various privacy and data protection laws regarding international data transfers, such as the GDPR.

The talent leader processes a huge amount of personal data for its employees and job seekers around the world. As a result, WilsonHCG partnered with DPO Consultancy to ensure compliance with global legislation and regulations in a structural manner.

Transferring data internationally

Amber Perrone, Recruitment Compliance Analyst at WilsonHCG, said: “Our global offices are subject to different regulations. We share a lot of personal data (inlcuding names, career details and other information about candidates), so it can be complicated. We have grown considerably in recent years. We have opened additional offices in Europe and Asia, among other places, further increasing the complexity of our business. Because people are so central to our business, we attach great importance to ensuring that their data is processed properly and that the privacy of each person is safeguarded. We have seen an increase in the complexity of dealing with personal data in recent years.”

“We liked the pragmatic and holistic ‘privacy journey’ approach of DPO Consultancy. It provided us with a versatile solution that covers all elements of data privacy legislation.”
Amber Perrone

“One of the biggest challenges was complying with the various facets of the GDPR and being up to date with the developments in the privacy landscape.

And while expanding to Europe, the data transfer mechanism that we used – the EU-US Privacy Shield – was declared invalid under the GDPR law after the Schrems II lawsuit in July 2020. We wanted to resolve this as quickly as possible to remain legally compliant.”

“Brexit caused another complication because our EMEA headquarters is based in Manchester and the UK replaced the EU GDPR with its own domestic GDPR. This also had consequences for our data transfers within EMEA. And in Asia we encountered other challenges, for example, which personal data we were allowed to share from China with our other offices in North America and Europe. All these complications prompted us to look for a holistic approach that would make data privacy legislation worldwide more manageable and to prepare us for future developments in the privacy landscape.”

Privacy journey approach

WilsonHCG partnered with DPO Consultancy in 2020. Perrone added: “We liked the pragmatic and holistic privacy journey approach of DPO Consultancy. It provided us with a versatile solution that covers all elements of data privacy legislation. First, we conducted a GDPR Assessment to determine any areas where we could improve upon regarding privacy and data protection within the EU. We worked closely together to interview various departments and to provide DPO Consultancy with all relevant documentation.”

“The assessment identified which aspects of compliance we should consider as high, medium, or low risk. For example, we improved our compliance with data processing principles as a result. We also developed clearer organizational guidelines for when to conduct a data protection impact assessment. Furthermore, there were also some medium and low risks that we mitigated. For example, to ensure that personal data remains safe, we increased employee education about data protection.”

Implementing measures

Perrone continued to explain how the partnership worked: “After the assessment, we implemented several measures, addressing the highest risks first. During the implementation phase, DPO Consultancy provided us with several GDPR-compliant templates. These templates had different functions, ranging from reviewing the privacy and cookie statements on the website to a data breach protocol and procedures for the data protection impact assessments.”

“As an example of the risk mitigation measures that we took with DPO Consultancy, we created a record of processing activities and tailored it to our processing activities. It was important to prepare such a record so we would be able to show our compliance with the data protection regulations.”

hand touching network connecting human dots icon business project management 1200px - WilsonHCG deploys GDPR as golden standard for global data protection

“One of the medium risks we addressed was about documenting the safeguards applicable to international data transfers. A procedure outlining what to consider when personal data is transferred internationally was drafted and implemented. Subsequently, the updated SCCs for the EU and the draft clauses for the UK were included in the template contractual agreements. As for the low risks, DPO Consultancy helped us review templates that were already in place and provided suggested updates. When a more suitable template was available, it was provided to us. At the end of the implementation project, our employees were educated about these policies and procedures.”

Global Data Processing Agreement

Due to WilsonHCG’s global presence, multiple contracts were used. Perrone added: “To eliminate the need for numerous contractual templates, we created a global data processing agreement (Global DPA) with DPO Consultancy. The global DPA covers the jurisdictions of the US, UK, EU, the People’s Republic of China and Japan. These jurisdictions were chosen because we are active in all these areas. The global DPA has been drafted in such a way that if we are only dealing with, for example, the US and the EU, the rest of the contract can be disregarded, if not relevant. We have taken the GDPR as a starting point for this. In our view, this legislation is the golden standard, because we wanted to meet the highest requirements regarding data privacy protection. The GDPR is stricter in terms of compliance and respecting the privacy and rights of individuals than some other privacy laws. For instance: if a person in the US invokes his or her right of access, US regulations allow us to respond within 45 days, but we will always apply the one-month response period as required by the GDPR.”

“Complying with data privacy is a lot easier thanks to the help of DPO Consultancy.”
Amber Perrone

“After we completed the implementation project, we started the governance stage. Together with DPO Consultancy, we ensured all policies and procedures are kept up to date with all privacy and data protection developments. Any questions we had about handling a request when a data subject is exercising their rights have been addressed or answered by DPO Consultancy. It keeps us informed of any developments in privacy and data protection in general, such as the development of China’s data protection laws, including any opinion pieces or action points that we should take into account.”

Data privacy protection

Perrone concluded: “With the help of DPO Consultancy, we have been able to further improve our compliance with the GDPR. Moreover, it is now easier to comply with data privacy legislation in all the different jurisdictions worldwide. Guided by our Global Data Processing Agreement, we continue to comply with the law by following a golden standard that ensures that data privacy is transferred as securely as possible. Provided with contractual templates for all aspects of international data transfer, we now feel even more confident in expanding our organization. DPO Consultancy has helped us to further enhance data privacy protection.”