By changing how people work, technology has introduced many new challenges to protecting privacy. Processing personal information of our Clients while staying on top of the mounting compliance challenges of privacy and data protection is one of our founding principles.
As a service provider, we prioritize individuals’ privacy and data protection across our products and services. This is why thousands of multinational enterprises and millions of employees and workers worldwide entrust ADP with their most sensitive personal information.
As a company having to comply with privacy legislations covering the personal data we hold for our own employees and business contacts, we have embedded privacy principles within our processes.
Data privacy throughout the organization
ADP has designed a governance structure for our privacy program that embeds data privacy in every level of our organization, as well as in every product we design. This includes:
- Global Data Privacy team—Spearheads privacy efforts across our organization
- Privacy Leadership Council—Comprised of cross-disciplinary professionals including representatives from our business units
- Privacy Stewards—Designated business leaders that take on management responsibilities for the controlled processing of your personal data within each ADP business unit and function
Our Global Privacy Program is central to our approach to protecting our Clients’ data and revolves around the following privacy principles:
Privacy by Design
Privacy principles are hardcoded within the ADP business model. We prioritize privacy and data protection at every stage as we design and develop new technology.
Data Minimization and Access Control
We collect and use only the minimum personal data necessary to achieve the business purpose for which your data was collected. While ADP processes personal data, access to data is granted based on role and job function.
Documented Data Processing Activities
We perform data flow mapping and privacy assessments on our data processing activities, which enable us to hold an inventory of our processing activities.
Standardized Record Information Management
Across ADP, our record retention schedules govern the proper retention for every category of record that ADP maintains and when the records should be destroyed.
Incident Management Process
Our incident response process is designed to ensure that any information security incidents are addressed promptly and effectively, in accordance with ADP security policies, procedures and legal requirements.
Supervision of Third-Party Providers
ADP Vendors must meet our data security and privacy standards. Our vendor assurance process enables ADP to assess its vendors prior to entering into a contract with them. Our vendors are contractually required to comply with ADP's privacy principles.
Binding corporate rules, approved by the EU
As of March 2018, ADP ranks among an elite group of companies worldwide to have gained regulators’ approval to implement BCRs as both a data processor (covering the processing of clients’ data) and data controller (covering the data of our employees and other business associates).
- BCRs are policies developed internally among a group of companies that share a common parent
- They provide a consistent set of rules on transferring the personal data of clients, employees and other individuals internationally, regardless of where such data is processed
- BCRs become legally binding once the EU Data Protection Authorities approve them (the DPAs are the regulators based in each of the EU’s Member States)
- The EU General Data Protection Regulation (GDPR) expressly recognizes BCRs as a way to safeguard the transfer of personal data out of the European Union (EU)
- Authorities regard BCRs as the best option for protecting individuals’ privacy rights in accordance with the GDPR requirements