An issue that is often neglected when implementing an equity plan on a global basis is the compliance with global privacy regulations. Legislation intended to protect an individual’s right to privacy has existed for many years in the European Union (introduced by an EU Directive in 1995), but data privacy has not been a hot topic in most other countries (including in the U.S.). In the last several years, there has been a flurry of new data privacy laws around the world, especially in Asia Pacific, no doubt brought on by the proliferation of global internet use and the concern about data privacy on the internet.
These laws also affect companies offering global equity incentive plans, as well as their service providers. Typically, data privacy laws restrict the collection, processing and transfer of personal data, which is defined as information which can be used to identify a person. In addition, many data privacy laws require that databases in which personal information is stored be registered with local data privacy authorities.
To administer an equity plan, both the company and the service provider invariably collect, process and transfer employees’ personal data. Under most data privacy laws, these actions are legal only if a permissible ground exists. There are a variety of permissible grounds, but in the context of an equity plan, most companies rely on the employees’ consent to the collection, processing and transfer of data.
However, obtaining employee consent can be challenging for a number of reasons:
First, many companies do not require employees to accept their awards or otherwise sign grant documents, which is where the consent language could be included.
- Second, even if acceptance is obtained, it is usually obtained electronically, while at least in some countries (e.g., Germany) the data privacy consent must be in writing.
- Last, even if consent is obtained through the employee’s acceptance of the award agreement, the consent arguably comes too late, because at this point, the personal data has already been collected and transferred to the parent company and/or service provider.
To avoid these issues, companies should consider collecting consent forms from employees (executed in hard copy) before the first grant is made. The consent will need to describe the data that is being collected, the purpose of the collection and transfer as well as all possible recipients of the data. In some countries, a translation into local language is advisable. To the extent a company uses an equity side letter to communicate awards to new hires, the side letter can be used to include this consent form.
Data Privacy Best Practices
The good news is that, even though most data privacy laws provide for severe penalties, enforcement in the employee equity plan context has been rare, because most employees realize that companies are trying to provide a benefit to them and will not object to the use of their personal data for this purpose, even if consent has not been properly obtained. Nonetheless, because this could change in the future, companies may want to consider the following additional tips (aside from getting employee consent) to avoid complaints from employees or, worse, penalties.
Check with your local entities on data privacy compliance and ensure they are aware that data is being collected for the equity plan so that the local database registration requirement can be met.
- Limit collection of personal data to items that are necessary for the administration of the plan (in particular, avoid collecting sensitive data, such as religious affiliations, etc.)
- Limit transfer of personal data to third parties and require any third party recipients of data to agree not to use data for any other reason but equity plan administration.
- Delete personal data no longer required to administer equity plan.