Compensation Data & GDPR: What It Means For Your Organization

What you need to know about data security, data privacy and data selling

To support our growing international customer base, Pave’s been closely collaborating with industry experts and global compensation practitioners to take steps to better serve our customers.

As the regulatory landscape for compensation data continues to evolve, Pave will be expanding our operations accordingly. Specifically relating to GDPR (General Data Protection Regulation), we wanted to highlight what this means for Pave’s customers, and employers in general.

Topics we’ll cover below include data security, data privacy and data selling.

Data Security For Compensation Benchmarking

Pave was built on a culture of security. Our mission is to provide visibility and trust into what is typically a black box. In a world where companies are throwing people’s data in a spreadsheet somewhere, we go above and beyond industry standards with our data security efforts. 

The reality is, once you give a company your data, you have no idea how they will store it or enable employees to access it. That’s why we invested in security early, and continue to invest in it. We’ve been SOC2 Type II compliant since we had only three customers. 

Now we have thousands, and we’re investing more than ever in ensuring the security of their data. As such:

We believe compensation benchmarking data should be stored and exposed in aggregate slices, never individual data points, or data points that don't appropriately obfuscate the company or individuals in the aggregate slice.

Any comptech (compensation technology) company offering services to international customers should be SOC2 Type II compliant. Their data should undergo quarterly penetration testing, ensuring strict organizational and technical controls to protect compensation information. 

All data utilized needs to be fully separated from both the individual and their employer to render it unidentifiable. Benchmarks can never be associated with an individual or company.

This aspect of data security is particularly important outside of the US.

Data Privacy For Compensation Benchmarking

If your procurement team is currently negotiating contract terms with any kind of human resources tech vendor (or will be doing so in the future), here’s the clause you’ll want to look for in that vendor’s privacy notice:

If you are a resident of the European Union (“EU”), United Kingdom, Lichtenstein, Norway or Iceland, you may have additional rights under the EU General Data Protection Regulation (Regulation (EU) 2016/679), the United Kingdom Data Protection Act 2018, and the United Kingdom General Data Protection Regulation (collectively, the “GDPR”) (the “GDPR”) with respect to your Personal Data, as outlined below:

Pave fully supports these rights, such as the right to be forgotten and their right to be informed. Data subjects can exercise these rights by partnering with Pave directly.

One point to note is, “Personal Data” generally means information that can be used to individually identify a person. Whereas “processing” generally covers actions that can be performed in connection with data such as collection, use, storage and disclosure. 

Additionally, Pave has adopted the practices outlined in the Standard Contractual Clauses to govern how we transfer highly confidential compensation data.

(Not) Selling Compensation Data

Compensation is an inherently technical, often ambiguous, and serious issue that involves people’s livelihoods. Technology companies in the human resources space must take customer privacy seriously.

Pave is conscientious about the fact that we deal with highly confidential information. As we expand our international presence and extend the international infrastructure options for our customers, we’re not only hyper vigilant about the collection of comp data, but also the use of it.

We’ve read too many devastating news stories about companies inside and outside of compensation technology that are selling the information their customers integrate. Either to third parties, or right back to the customers themselves.

We believe salary history, equity agreements and other employment information should never be sold. 

Pave’s mission is to make compensation transparent, accurate and fair for all 3.5 billion people who are part of the global employment world. As such, data privacy is in the service of a larger social good. 

  • We believe, the more real time data that exists, the better decisions employers and employees can make around compensation.
  • We believe if our customers tell us how they want to control their data, the more efficient and transparent they can be with their employees
  • We believe in making all compensation de-identifiable and de-integratable in the event of a security breach to minimize the downside

If you’re an international organization seeking to establish greater transparency and fairness in its compensation practices, we recommend using these as guideposts going forward.

We’re thrilled about the opportunity to support our growing international customer base, and we commit to keeping you in the loop as the regulatory landscape for compensation data continues to evolve.

To get more of your GDPR questions answered, please visit Pave's GDPR, Privacy & Security FAQ