Data Privacy

Technology has changed how people work and has introduced new challenges to safeguarding everyone's privacy. Processing personal data while staying on top of the mounting compliance challenges of privacy and data protection is one of our founding principles. As a service provider, we make individuals' privacy and data security a priority for all of our products and services. This is the reason why thousands of multinational enterprises and millions of employees, workers and consumers entrust ADP with their personal data. As a company that complies with privacy legislation covering the personal data we hold for our own employees and business contacts, we have embedded privacy principles within our processes.

Data privacy throughout the organization

ADP has developed a governance structure for our privacy program that ingrains data privacy at every level of our organization and in every product we design. This includes:

  • Global Data Privacy team — Spearheads privacy efforts across our organization
  • Privacy Leadership Council — Made up of cross-disciplinary professionals including representatives from our business units
  • Privacy Stewards — Designated business leaders that manage the controlled processing of your personal data within each ADP business unit and function

Our Global Privacy Program is essential to our approach to protecting our Clients’ data and revolves around the following privacy principles:

  • Ethics in Artificial Intelligence As outlined in our Ethics in AI position statement, we have adopted a set of principles and processes to govern our ethical use of newer technologies such as artificial intelligence or machine learning.
  • Privacy by Design Privacy principles are hardcoded within the ADP business model. We prioritize privacy and data protection at every stage as we design and develop new products and services.
  • Transparency and notice ADP publishes Privacy Statements to inform our associates, business contacts, client employees, workers, and job applicants as to how their personal data is collected and for which purposes it will be processed.
  • Data Minimization and Access Control We collect and use only essential personal data necessary to achieve the business purpose for which data was collected. While ADP processes personal data, internal access to data is granted based on role and job function.
  • Documented Data Processing Activities We perform data flow mapping and privacy assessments on our data processing activities, enabling us to hold an inventory of our processing activities.
  • Standardized Record Information Management At ADP, our record retention schedules govern the proper retention for every category of record that ADP maintains and when the records should be destroyed.
  • Incident Management Process Our incident response process is designed to ensure that any information security incidents are addressed promptly and effectively, in accordance with ADP security policies, procedures and legal requirements.
  • Supervision of Third-Party Providers ADP vendors must contractually comply with our data security and privacy standards. Our vendor assurance process enables ADP to assess its vendors before entering into a contract with them.

Binding corporate rules, approved by the EU

As of March 2018, ADP ranks among an elite number of companies worldwide to have gained regulators’ approval to implement BCRs as both a data processor (covering the processing of clients’ data) and data controller (covering the data of our employees and other business associates).

  • BCRs are policies developed internally among a group of companies that share a common parent
  • They provide a consistent set of rules for transferring the personal data of clients, employees and other individuals internationally, regardless of where such data is processed
  • BCRs become legally binding once the EU Data Protection Authorities approve them (the DPAs are the regulators based in each of the EU’s Member States)
  • The EU General Data Protection Regulation (GDPR) expressly recognizes BCRs as a means to safeguard the transfer of personal data out of the EU
  • Authorities regard BCRs as the best option for protecting individuals’ privacy rights in accordance with the GDPR requirements

Emerging privacy advancements and goals

Privacy changes are also underway in the United States. We are actively monitoring these changes and have operationalized a U.S. privacy program based on the California Consumer Privacy Act requirements and other upcoming state-level privacy laws.

Privacy and data protection trainings

As global privacy legislation evolves, we make sure to provide our associates with the tools and training they need to comply with all relevant laws. ADP Associates and contingent workers are trained on the appropriate use and handling of personal data. We employ various tools, techniques and programs to embed security into our associates’ and contingent workers’ day-to-day professional and personal lives.

Remote privacy during COVID-19

Keeping both our associates and our clients’ data safe is essential, especially during these trying times. To address both issues, work from home security processes are embedded in our Security and Privacy policies and standards. ADP limits access to our clients’ employee data to the ADP associates who are currently supporting the respective client. Additionally, we utilize technical controls such as data encryption and Network Access Control (NAC) to address the risk of unauthorized access. Our remote network requires the use of IPSEC VPN connectivity with two-factor authentication for connection. ADP requires all confidential information to be encrypted on all remote computing devices.