Data Privacy

Technology allows people to work in new and productive ways, though in tandem has introduced new challenges to safeguarding everyone’s privacy. Processing personal data while staying on top of the evolving compliance challenges of privacy and data protection is core to our business. As a service provider, we make individuals’ privacy and data security a priority in everything we do. This is the reason why thousands of multinational enterprises and millions of employees, workers and consumers entrust ADP with their personal data. As a company that complies with privacy legislation covering the personal data we hold for our own employees and business contacts, we have embedded privacy principles within our processes.

Data privacy throughout the organization

ADP has a governance structure designed for our privacy program that ingrains data privacy across every level of our organization and in every product we offer. This includes:

  • Global Data Privacy team — Spearheads privacy efforts across our organization
  • Privacy Leadership Council — Comprised of cross-disciplinary professionals including representatives from our business units
  • Privacy Stewards — Designated business leaders who manage the controlled processing of personal data within each ADP business unit and function

Our Global Privacy Program is essential to our approach to protecting our clients’ data and revolves around the following privacy principles:

  • Ethics in Artificial Intelligence
    As outlined in our Ethics in AI position statement, we adopted a set of principles and processes to govern our ethical use of newer technologies such as artificial intelligence and machine learning.
  • Privacy by Design
    Privacy principles are hardcoded within the ADP business model. We prioritize privacy and data protection at every stage as we design and develop new products and services.
  • Transparency and Notice
    ADP publishes Privacy Statements to inform our associates, business contacts, client employees and job applicants as to how their personal data is collected and for which purposes it will be processed.
  • Data Minimization and Access Control
    We collect and use only essential personal data necessary to achieve the business purpose for which data was collected. While ADP processes personal data, internal access to data is granted strictly based on role and job function.
  • Documented Data Processing Activities
    We perform data flow mapping and privacy assessments on our data processing activities, enabling us to maintain an inventory of our processing activities.
  • Standardized Record Information Management
    Our record retention schedules govern the proper retention for every category of record that ADP maintains and when those records should be destroyed.
  • Incident Management Process
    Our incident response process is designed to ensure that any information security incidents are addressed promptly and effectively, in accordance with ADP security policies, procedures and legal requirements.
  • Supervision of Third-Party Providers
    ADP vendors must contractually comply with our data security and privacy standards. Our vendor assurance process enables ADP to assess its vendors before entering into a contract.

Binding Corporate Rules (BCRs)

As of March 2018, ADP ranks among an elite number of companies worldwide to have gained regulators’ approval to implement BCRs as both a data processor (covering the processing of clients’ data) and data controller (covering the data of our employees and other business associates).

  • BCRs are policies developed internally among a group of companies that share a common parent
  • They provide a consistent set of rules for transferring the personal data of clients, employees and other individuals internationally regardless of where such data is processed
  • BCRs become legally binding once the EU Data Protection Authorities (DPA) approve them (the DPAs are the regulators based in each of the EU’s Member States)
  • The EU General Data Protection Regulation (GDPR) expressly recognizes BCRs as a means to safeguard the transfer of personal data out of the EU
  • Authorities regard BCRs as the best option for protecting individuals’ privacy rights in accordance with the GDPR requirements
  • ADP is in the process of obtaining approval from the UK Information Commissioner for our UK BCRs to address the impact of Brexit

Emerging privacy advancements and goals

Changes in privacy law continue to take place in the U.S. We are actively monitoring these changes and have operationalized a U.S. privacy program based upon a variety of state-level privacy laws.

Privacy and data protection trainings

As global privacy legislation evolves, we make sure to provide our associates with the tools and training needed to comply with all relevant laws. ADP associates and contingent workers are trained on the appropriate use and handling of personal data. We employ various tools, techniques and programs to embed security safeguards into our associates’ and contingent workers’ day-to-day professional and personal lives.