Skip to Content
Author's profile photo Stephen Lofthouse

Are you a UK multinational company with HR data in Success Factors…? Then you’d better read this.

Given the recent events concerning the UK Governments attempts to negotiate a divorce settlement with the EU, now would seem to be a good time to talk about an issue that will affect numerous companies within the UK when BREXIT happens.

Let me start by asking a few pertinent questions.

  1. Do you have staff in the UK and in other European countries?
  2. Do you store your HR data in the cloud (SAP Success factors for example) ?
  3. Is your main HR operation based in the UK ?

If the answer to the above three questions if yes, yes and yes then you have a problem that you need to start thinking about now.

Let me explain;

The new European General Data Protection Regulations will be applied to all of the European member states on 25th May 2018. The GDPR has been drafted as a regulation. That is to say that it will apply as law without the need for individual member states to gain parliamentary approval.

There is a presumption within the EU of parity. With respect to data protection that means that there is a presumption that the data protections laws of all member states offer equal protection to the data of EU citizens. This regulatory parity is one of the foundation concepts of the EU and enables things like the free movement of goods, services, and in this case data. Countries outside of the EU are not given the same level of parity. The EU does have mechanisms for certifying the data protection laws of third party countries so called Adequacy decisions. And countries such as Switzerland, Andorra, and New Zealand have all been granted Adequacy status.

If you are a business that stores its HR data in the cloud, that data will reside in a data centre somewhere. In the case of SAP Success Factors, the main EU data centre is in Germany. Presumably because of the convenient location of SAP’s HQ in Waldorf and the strict German data protection laws. When you sit at your computer in the UK, and view your Success Factors HR data, you are technically pulling data from a server in Germany across to your screen in the UK, viewing or editing that data and then pushing it back to the server in Germany. Viewing, Editing, Transmitting and Saving are all types of processing as defined by the GDPR.

Can you see where this is headed… ?

When the UK leaves the EU, parity will no longer apply. Our data protection laws will no longer be viewed as offering equal protection a) because we are no longer a EU member state & b) because we do not have an adequacy decision in place.

It is a breach of the GDPR to transmit data pertaining to EU citizens to countries outside of the EU. So, when BREXIT happens, you viewing the HR data of your French sales team, on a computer in the UK is illegal, because to do so would require transmitting the data from the server in Germany, inside the EU, to the computer in the UK, outside the EU.

I have heard it said that; ‘of course the EU will provide the UK with an adequacy decision, we’re in the process of implementing the GDPR, of course our laws are the same. It will be part and parcel of the BREXIT settlement.’And there in lies the rub.

Adequacy status is gifted on the basis of a number of factors which together comprise the protection afforded to citizens data. The European Union has a number of issues with one specific UK law concerning data, the Regulation of Investigatory Powers Act, RIPA. Indeed the forerunner to RIPA, the so-called DRIPA was struck from the UK statute book on the basis of a European Court decision which ruled it illegal. The EU has a number of serious issues with RIPA concerning the unfettered access to EU citizens data, just as they have a number of issues with the US privacy shield for the same reason.

It is not then, a forgone conclusion that the UK will be granted Adequacy status with regards to its data protection laws. And given that the process for conveying Adequacy can take at least 6 months usually longer, UK companies could find themselves in very difficult situation where their corporate HR data is effectively locked up.

There are within the GDPR a number of mechanisms for dealing with this situation. EU approved Binding Corporate Rules, EU approved Contractual Clauses, or Data Subject Consent are all mechanism that can be used to permit the transfer of data overseas. Indeed for some companies who have chosen to relocate their head offices onto the European mainland to ensure continued access to the EU market, this will not be an issue. However, for the majority of multinational companies, headquartered in the UK, who store HR data in the cloud, this is an issue that requires serious thought and consideration, sooner rather than later. 

Binding Corporate Rules are applied to the company as a whole, and require amongst other things, shareholder approval. Contractual Clauses, cannot be used as they apply to processing by another entity, not the company itself. And consent must be obtained from each and every employee, be informed and freely given. Something which the EU deems difficult to obtain in an Employer : Employee relationship as there is a power imbalance.

The implementation of the GDPR within large, multinational organisations is a significant challenge. BREXIT adds to that challenge in a myriad number of ways, many of which companies will not even have considered. In addition to the GDPR, the European Commision is in the process of producing enhanced regulations governing network security and an updated and enhanced e-Privacy regulation. With regards to data centric operations, businesses need to be aware that the GDPR is just the start. Ensuring that you seek advice from people who understand, your business, your systems and the up and coming legislation is of paramount importance. 


(Cross posted to my Linked-in Blog –

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Luke Marson
      Luke Marson

      It is a breach of the GDPR to transmit data pertaining to EU citizens to countries outside of the EU.

      This is not the case. Data can be transmitted outside of the EU with permission of the persons for whom the data is being transmitted. However, there are various precautions that must be taken to comply with GDPR and there are certain countries that the EU do not consider to be safe destinations to transmit data to.


      Author's profile photo Stephen Lofthouse
      Stephen Lofthouse
      Blog Post Author

      Luke, Many thanks for you're comment on my article. From a general prospective you are correct. A data controller is able to shift a data subjects data outside of the EU provided they have obtained the consent of the data subject.

      The problem with regards to this consent is that it is the view of the European Commision and the WP29 (soon to be the European Data Protection Board) that consent cannot be freely given when a power relationship exists between the Data Controller and the Data subject, i.e. Employer and Employee.

      If I might draw your attention to the opinion of the WP29 on consent, specifically section 3.1.1:-

      An imbalance of power also occurs in the employment context.

      [...] WP29 deems it problematic for employers to process personal data of current or future employees on the basis of consent as it is unlikely to be freely given. For the majority of such data processing at work, the lawful basis cannot and should not be the consent of the employees (Article 6(1a)) due to the nature of the relationship between employer and employee.19

      wp29 consent 12 12 17.pdf

      So unfortunately organisations cannot rely on consent to process data in the manner I outlined in the article above. Which I very much appreciate causes problems for Success Factors consultants like yourself. Hence the article making reference to things like Binding Corporate Rules, and Certifications as mechanism to demonstrate compliance to the GDPR. Unfortunately things such as these take time to implement, and as such businesses should move now, rather than continue to behave like the proverbial GDPR ostrich.