Data Privacy

Technology allows people to work in new and productive ways, though in tandem has introduced new challenges to safeguarding everyone’s privacy. Processing personal data while staying on top of the evolving compliance challenges of privacy and data protection is core to our business. As a service provider, we make individuals’ privacy and data security a priority in everything we do. This is the reason why thousands of multinational enterprises and millions of employees, workers and consumers entrust ADP with their personal data. As a Company that complies with privacy legislation covering the personal data we hold for our own associates and business contacts, and as a service provider who helps enable our clients meet their privacy obligations, we have embedded privacy principles within our processes.

Data privacy throughout the organization

ADP has a governance structure designed for our privacy program that ingrains data privacy across every level of our organization and in every product we offer. Our privacy program is based on our three sets of Binding Corporate Rules (BCRs) covering: client data originating in the European Union, ADP associate data, and business contact data globally, which have been approved by European data protection authorities. The governance aspects include:

Global Data Privacy Team Spearheads privacy compliance efforts across our organization
Privacy Leadership Council Comprised of cross-disciplinary professionals including representatives from our business units and our legal/compliance team and which creates the overall framework for the global privacy program
Privacy Stewards Designated business leaders who manage the controlled processing of personal data within each ADP business unit and function

Our Global Privacy Program is essential to our approach to protecting our clients’ data and revolves around the following privacy principles:

Ethics in Artificial Intelligence As outlined in our Ethics in AI position statement, we adopted a set of principles and processes to govern our ethical use of newer technologies such as artificial intelligence and machine learning.
Privacy by Design Privacy principles are hardcoded within the ADP business model. We prioritize privacy and data protection at every stage as we design and develop new products and services.
Transparency and Notice ADP publishes Privacy Statements to inform our associates, business contacts, client employees and job applicants as to how their personal data is collected and for which purposes it will be processed.

Data Minimization and Access Control We collect and use only essential personal data necessary to achieve the business purpose for which data was collected. While ADP processes personal data, internal access to data is granted strictly based on role and job function.
Documented Data Processing Activities We perform data flow mapping and privacy assessments on our data processing activities, enabling us to maintain an inventory of our processing activities.
Standardized Record Information Management Our record retention schedules govern the proper retention for every category of record that ADP maintains and when those records should be destroyed.
Incident Management Process Our incident response process is designed to ensure that any information security incidents are addressed promptly and effectively, in accordance with ADP security policies, procedures and legal requirements.
Supervision of Third-Party Providers ADP vendors must contractually comply with our data security and privacy standards. Our vendor assurance process enables ADP to assess its vendors before entering into a contract.

Binding Corporate Rules (BCRs)

ADP ranks among an elite number of companies worldwide to have gained regulators’ approval to implement BCRs as both a data processor (covering the processing of clients’ data) and data controller (covering the data of our employees and other business associates).

BCRs are policies developed internally among a group of companies that share a common parent
They provide a consistent set of rules for transferring the personal data of clients, employees and other individuals internationally regardless of where such data is processed
BCRs become legally binding once the EU Data Protection Authorities (DPA) approve them (the DPAs are the regulators based in each of the EU’s Member States)
The EU General Data Protection Regulation (GDPR) expressly recognizes BCRs as a means to safeguard the transfer of personal data out of the EU
Authorities regard BCRs as the best option for protecting individuals’ privacy rights in accordance with the GDPR requirements
ADP has obtained approval from the UK Information Commissioner for our UK BCRs to address the impact of Brexit

New State Privacy Laws

Changes in privacy law continue to take place in the U.S. In California, the California Privacy Rights Act (CPRA) came into effect at the start of 2023, and applies to all personal data, including employee data. Other states continue to enact consumer privacy laws as well.

We are actively monitoring these changes and have operationalized a U.S. privacy program based upon CPRA, to enable our own compliance and assist our clients in meeting their obligations with respect to their workforce.

Privacy and data protection trainings

As global privacy legislation evolves, we make sure to provide our associates with the tools and training needed to comply with all relevant laws. ADP associates and contingent workers are trained on the appropriate use and handling of personal data. We employ various tools, techniques and programs to embed security safeguards into our associates’ and contingent workers’ day- to-day professional and personal lives.

ISO 27701 Certification

We have achieved certification to ISO/IEC 27701:2019, an international standard for privacy information management, across key aspects of our infrastructure. This represents another significant milestone in our privacy commitment, by providing third party validation of our implementation of privacy controls.