Location risk is a compliance question, not a remote-work debate
By Simon Gray, Vice President, Workforce Solutions
Bottom line
Where a contractor actually works is not a culture question or a remote-work preference. For a defined set of roles, it is a compliance, tax, and data-sovereignty question — and it needs to be confirmed, not assumed.
The scenario that should worry you
A contractor is hired for a role that requires work to be performed inside a specific jurisdiction — for data residency, export control, or client-contract reasons. They confirm the location at onboarding. The work is good. Everyone moves on.
Months later, an access log review shows logins from a country no one approved. The work was being performed from outside the permitted jurisdiction the entire time. Now the question is not performance — it is whether the organization has been in breach of a client contract, a data-protection regulation, or an export-control rule for the length of the engagement.
Why location is a control, not a preference
For most roles, where someone works is genuinely a matter of preference and flexibility. For a specific subset, it determines which laws apply. Location drives payroll tax obligations. It determines whether GDPR or HIPAA governs the data being touched. It decides whether ITAR or export-control rules are being violated. A worker accessing EU-citizen data from a non-approved country creates a violation regardless of whether the employer knew.
The infrastructure for hiding location has matured. Laptop farms let a worker appear locally based while operating overseas. Residential proxy networks route traffic through genuine in-country IP addresses. Passive trust — taking the stated location at face value — is no longer a control.
Where the risk concentrates
The roles that matter are identifiable in advance:
- Roles touching regulated data — health, financial, or personal data subject to residency rules.
- Roles under client contracts that specify where work may be performed.
- Roles subject to export-control or sovereignty requirements, where a location violation is a criminal-liability question.
- Roles with privileged system access, where an unverified location compounds every other access risk.
Start here
Identify the roles where location is a compliance variable, not a preference. For those roles, confirm location actively — IP and geolocation checks against the stated work location, not a one-time attestation at onboarding — and re-confirm it on a schedule, because a location that was accurate on day one can change without notice.
For everything else, leave the flexibility in place. The goal is not to surveil every contractor. It is to apply real verification to the small set of roles where getting it wrong is a legal exposure, not an inconvenience.
Questions to take back to your team
Which of our roles carry a legal or contractual requirement about where work is performed? Are we confirming location for those roles, or trusting an attestation? If a regulator or client asked us to prove where a given contractor worked last quarter, could we?
Next steps
Procom’s Workforce Solutions practice helps programs separate the roles where location is a compliance control from the roles where it is a preference — and build verification that holds up to client and regulatory scrutiny.
To discuss your program’s exposure, get in touch.
Candidate Fraud in Enterprise Hiring

About the author
Simon Gray, Vice President, Workforce Solutions
With over 25 years of experience in strategic staffing, Simon leads Procom’s Workforce Solutions division to help clients hire quickly and compliantly.

