Data privacy throughout the organization
ADP has developed a governance structure for our privacy program that ingrains data privacy at every level of our organization and in every product we design. This includes:
- Global Data Privacy team — Spearheads privacy efforts across our organization
- Privacy Leadership Council — Made up of cross-disciplinary professionals including representatives from our business units
- Privacy Stewards — Designated business leaders that manage the controlled processing of your personal data within each ADP business unit and function
Our Global Privacy Program is essential to our approach to protecting our Clients’ data and revolves around the following privacy principles:
-
Ethics in Artificial Intelligence
As outlined in our Ethics in AI position statement, we have adopted a set of principles and processes to govern our ethical use of newer technologies such as artificial intelligence or machine learning.
-
Privacy by Design
Privacy principles are hardcoded within the ADP business model. We prioritize privacy and data protection at every stage as we design and develop new products and services.
-
Transparency and notice
ADP publishes Privacy Statements to inform our associates, business contacts, client employees, workers, and job applicants as to how their personal data is collected and for which purposes it will be processed.
-
Data Minimization and Access Control
We collect and use only essential personal data necessary to achieve the business purpose for which data was collected. While ADP processes personal data, internal access to data is granted based on role and job function.
-
Documented Data Processing Activities
We perform data flow mapping and privacy assessments on our data processing activities, enabling us to hold an inventory of our processing activities.
-
Standardized Record Information Management
At ADP, our record retention schedules govern the proper retention for every category of record that ADP maintains and when the records should be destroyed.
-
Incident Management Process
Our incident response process is designed to ensure that any information security incidents are addressed promptly and effectively, in accordance with ADP security policies, procedures and legal requirements.
-
Supervision of Third-Party Providers
ADP vendors must contractually comply with our data security and privacy standards. Our vendor assurance process enables ADP to assess its vendors before entering into a contract with them.
Binding corporate rules, approved by the EU
As of March 2018, ADP ranks among an elite number of companies worldwide to have gained regulators’ approval to implement BCRs as both a data processor (covering the processing of clients’ data) and data controller (covering the data of our employees and other business associates).
- BCRs are policies developed internally among a group of companies that share a common parent
- They provide a consistent set of rules for transferring the personal data of clients, employees and other individuals internationally, regardless of where such data is processed
- BCRs become legally binding once the EU Data Protection Authorities approve them (the DPAs are the regulators based in each of the EU’s Member States)
- The EU General Data Protection Regulation (GDPR) expressly recognizes BCRs as a means to safeguard the transfer of personal data out of the EU
- Authorities regard BCRs as the best option for protecting individuals’ privacy rights in accordance with the GDPR requirements
Emerging privacy advancements and goals
Privacy changes are also underway in the United States. We are actively monitoring these changes and have operationalized a U.S. privacy program based on the California Consumer Privacy Act requirements and other upcoming state-level privacy laws.
Privacy and data protection trainings
As global privacy legislation evolves, we make sure to provide our associates with the tools and training they need to comply with all relevant laws. ADP Associates and contingent workers are trained on the appropriate use and handling of personal data. We employ various tools, techniques and programs to embed security into our associates’ and contingent workers’ day-to-day professional and personal lives.
Remote privacy during COVID-19
Keeping both our associates and our clients’ data safe is essential, especially during these trying times. To address both issues, work from home security processes are embedded in our Security and Privacy policies and standards. ADP limits access to our clients’ employee data to the ADP associates who are currently supporting the respective client. Additionally, we utilize technical controls such as data encryption and Network Access Control (NAC) to address the risk of unauthorized access. Our remote network requires the use of IPSEC VPN connectivity with two-factor authentication for connection. ADP requires all confidential information to be encrypted on all remote computing devices.