The NASPP Blog

California is serious about privacy–so serious that it’s an “inalienable right” in the California constitution. This should give consumers–and employees–in California an extra bit of confidence that their own personal information won’t fall into the wrong hands. It does, however, create some rather frustrating experiences when a California resident actually wants his or her personal information to be transferred out of the state. For example, if you are a resident of California you may find yourself at an out-of-state bank branch talking to a perfectly nice teller who insists you don’t have an account until you admit you are from California at which point he will say, “Oh…California. Why didn’t you say so?” In this respect, California may have more in common with the EU or Japan than with the rest of the United States.

Aside from the quirky anecdotes that data privacy laws provide, there are serious considerations for companies with international (or California) subsidiaries. HR, payroll and equity compensation practices must ensure that the very essential, but also very private, employee data is transmitted without violating applicable laws. Payroll considerations can be accomplished with relative simplicity compared to equity compensation by virtue of local payroll processing. The distinct difference for HR and stock plan management is that most companies want to house relevant information in one central location or database.

Consent

Just like my fun bank experience, this is an instance when employees should want to have their information transmitted–after all, it’s going to create a tangible asset for them. But, operating on the idea that you have a right to access the necessary information to create and manage grants for your employees isn’t enough. In many locations, employees must actually consent to have their personal information sent to you and also sent on to the broker who will ultimately facilitate transactions for them.

Compliance

The burden for ensuring your company policies compliant with data protection laws hopefully falls on your legal team. However, ensuring that equity compensation practices adhere to the policies is an ongoing consideration for stock plan management teams. Here are three important areas to consider when it comes to data privacy:

Incoming data -exactly what information about employees you collect and house in your stock plan administration database and how you access that information

Outgoing data – each instance where individual private information must be transmitted out of the stock plan administration database

Communications practices – when and how you are sending personal information back to your employees

Once you have established that your current practices are compliant, keep data protection in mind any time you are going to engage in a one-off situation involving the transmission of personal information. If you are in a merger situation, have opened a new office, or are partnering with another department to perform a data audit, these are all examples of situations where taking a moment to confirm that you are maintaining compliance with data privacy laws is a good idea.

Resources

The NASPP’s Global Stock Plans portal has several matrices that include data privacy issues companies should consider internationally. They can be found along the left column of the portal. We also have an update from Latham & Watkins on data privacy and protection in Germany, the UK, and Spain prompted by the draft Federal Data Privacy Act being considered in Germany. The Act could place more tringent qualifications on obtaining employee consent to collect and distribute personal information.

-Rachel