Business protection in the employment lifecycle: what US businesses with global employees need to know
Published on 2nd Nov 2023
The employment lifecycle offers various touchpoints for potential risk, from onboarding to exit
Approaching global employees the same way as US employees often fails because it neglects to consider cultural and legal differences, which can lead to misunderstandings and compliance issues that may mean that the business is not as protected as it should be.
Instead, companies should adopt a more localized approach that respects cultural differences and adheres to local employment laws to ensure that they are taking advantage of the local laws and protecting the business appropriately.
Employee-related considerations are a key element to protecting the business, which can become more complicated when the workforce is globally distributed. During the course of their employment, employees will inevitably come into contact with confidential information and establish key business connections. Data privacy and securing the business' intellectual property (IP) are also major considerations when protecting your business in the UK and Europe.
The GDPR and employee data protection
Employee data is often the most sensitive data that a company processes, but frequently it's not treated in the necessary way. US companies should remember that compliance with the General Data Protection Regulation (GDPR), the UK GDPR and the local data protection laws in the EU Member States is strictly necessary.
While many of the fundamental processing activities are permitted, it is important that companies put in place localized privacy notices that specifically deal with the company's processing and retention of employee data (not forgetting candidate data too).
US companies often find that their usual processing activities in relation to the collection and processing of diversity and inclusion data and sensitive data from background checks (particularly criminal records checks) are not permitted and standard practices need to be localized. Given the transfer of data between Europe, the UK and the US, international transfer is an area that US companies need to take specific advice on.
Other standard steps that US companies should consider to protect the business are localization of IT security policies, acceptable use policies and bring your own device (BYOD) polices. Similarly, the way in which employees process personal data on the company's behalf will be important for business protection. It is often advisable to have in place localised data-protection policies that direct how employees should handle personal data in the course of employment.
Getting data privacy right is a key business area of focus given the reputational, legal and (potentially substantial) financial implications of mistakes.
IP: confidential information and trade secrets
Often US companies think that confidential information and IP is protected by having their global employees sign their standard proprietary information and inventions assignment agreement (PIIA). This approach neglects to consider the local laws that will be necessary to adhere to when ensuring the IP created during the employment relationship is correctly owned by the company and confidential information is protected.
In most cases, it's standard practice to include these provisions within the employment contract itself, but where a company wants to use their PIIA, unless these are localized to account for local laws, they will often create more uncertainty than protection.
Restricting the employees, during and after employment
When employment ends, businesses may want to consider options to restrict employees' post-employment activities, such as restrictions relating to non-competition, non-solicitation (of customers, clients and employees) and non-disparagement.
Like in the US, post-termination restrictions can in some cases be difficult to enforce; however, in many locations, they can be enforceable if tailored to the individual role, drafted reasonably and in accordance with local laws, and, in some cases, appropriate payments are made in exchange. Having legally enforceable post-termination restrictions may in certain cases be a real advantage to business protection, and, therefore, it's sensible for companies to seek advice and draft localized provisions to take advantage of these options where possible.
Employee onboarding and compliance training
Training employees is crucial, as employment law is constantly changing on a local level. Besides the local mandatory trainings, it is also worth providing training on health and safety, data protection, cybersecurity, diversity and inclusion, anti-discrimination and sexual harassment, artificial intelligence, sustainability and other local employment law nuances. Educating employees to understand the local cultures and laws is key to business success and protection as it can avoid unnecessary mistakes that expose the business to risk.
Specifically for managers and internal HR teams, it's often helpful to educate on the local laws based on where the business has employees. In most cases, processes such as performance management, disciplinaries, grievances and terminations have specific rules that need to be followed, and upfront education can help protect the business from future risk in failing to follow local processes.
External workforce: contractors and EoR
Business protection approaches may need vary if a global workforce is engaged as contractors and freelancers or via third parties such as an employer of record (EoR). In this case, the businesses are not the employer and, therefore, don't benefit from the usual protections. Therefore, tailored and localized approaches will be needed in both these areas to ensure appropriate protections, while navigating misclassification risks and tri-party employment relationships.
Things to think about
- Are your global employment contracts in compliance with local laws to ensure you have the appropriate contractual protections in place?
- Have you analyzed which types and categories of employee data you will be processing as a company and have you put in place appropriate data privacy policies and privacy notices in compliance with local laws?
- If you use a PIIA to protect confidential information and ensure IP ownership, has this been localized?
- Have you considered the use of post-employment restrictions in employment contracts and sought advice to tailor these to the specific role and local laws?
- Have you reviewed your onboarding and training processes to reflect local cultures and laws?
- If you have contractors and freelancers or individuals engaged through third parties such as an EoR, have you considered the local nuances to ensure the business is still protected in the same way as it is for employees?
Osborne Clarke comment
It's clear that as businesses evolve, safeguarding sensitive data and IP will become more crucial. The employment lifecycle offers various touchpoints for potential risk, from onboarding to exit. Addressing these risks requires comprehensive policies and procedures that respect data privacy laws, protect IP, and consider other legal and ethical factors.