One of the main challenges of HR data is the thorny issue of data privacy. With the EU’s General Data Protection Regulation (GDPR) coming into effect in May 2018, this issue is set to become even more critical for HR teams. But what is GDPR and how might it impact the work of HR teams?
What is the idea behind GDPR?
It’s fair to say that legislation has failed to keep pace with the speed at which technology and big data has advanced – particularly our ability to gather, store and analyze data. GDPR is therefore designed to enhance data protection and the right to privacy for EU citizens, giving them greater control over their personal data and how it is used.
GDPR represents a complete overhaul of the legal requirements that must be met by any company handling EU citizens’ personal data – and that includes employees’ personal data.
The implications of GDPR are not to be sneezed at. Companies who fall foul of the regulation and are found to be misusing personal information face stiff fines of up to €20m or 4% of annual worldwide turnover, whichever is the greater of the two.
Why HR teams need to get consent for employee data
Consent is a critical pillar of the new legislation, and GDPR states that companies can only use personal data for the express purpose for which it was given. For HR teams, this means employees must explicitly opt in to allow their employer to use their personal data, and they must be made fully aware of how that data will be used.
In other words, you need to be transparent with your employees about what data is being collected, for what purpose, and how that data will be used. This can be clarified through a simple data privacy statement that’s signed by employees. Then, crucially, you can only use the data for the purpose for which it was handed over; if you want to use the data for a different purpose, you should seek new permission.
Protecting employee data
GDPR also sets out strict mandates around reporting the theft or loss of personal data. While, for most companies, this is more of an issue for customer data, be aware that employee-related data is still highly personal in nature. So, in the event of any breach that affects employee data, you will need to inform the supervising authority (in the UK that’s the Information Commissioner’s Office) within a maximum of 72 hours. You’ll also have to inform those individuals whose data is affected.
Naturally, it’s far better to avoid a data breach in the first place. While hackers’ techniques are getting more sophisticated all the time, some simple processes and procedures will help protect your precious HR data. This may include data encryption and breach detection systems.
GDPR may also have training implications, since all staff should be educated on the need for good data security practices. At the very least, this means employees must never share passwords, click on dodgy links, or share confidential information with anyone who isn’t authorized. Yes, hackers are very clever. But simple human error is responsible for more breaches than you’d think, as highlighted by the example of the Boeing employee who emailed his (non-Boeing-employee) spouse for help formatting a spreadsheet. In innocently forwarding the spreadsheet, the employee potentially exposed the personal data of 36,000 Boeing employees.
Other GDPR considerations
GDPR means employees also have the right to be forgotten and to withdraw their consent, so you’ll need to think about what this means for your systems. Do you have procedures in place for deleting employee data, for instance? How many systems would be affected? Can you be sure you’re removing all trace? Does your team understand how important it is to comply with this? These are all things that need to be considered as part of your data-driven HR strategy.
It’s also very important you keep records of consent for gathering, storing and using employee data, as well as be able to demonstrate a clear business case for using the data.
What about outside of the EU?
You might be wondering what Brexit means for GDPR. Will UK companies still have to comply with GDPR once Britain exits the EU? In a word, yes. The government has committed to implementing GDPR into UK law, although, as with anything around Brexit, I suppose this could potentially change.
In any case, GDPR protects EU citizens’ personal data. So if your company handles data on employees from the EU, even if your business is not based in the EU, you still need to demonstrate compliance. In the US, for example, a new GDPR-friendly framework called Privacy Shield provides a means for stateside companies to demonstrate they can provide adequate protection, in line with GDPR, for EU citizens.
There are also specific things to consider if your business transfers data related to EU citizens outside of the EU. Say, if your company has a US office, or if a data analytics provider is based in the US, you’ll be affected by these data transfer rules. For HR teams, this means you need to ensure that any personal employee data flowing outside the EU is being handled by companies who are compliant with Privacy Shield and GDPR policies.
Enhanced data privacy in practice
Let’s look at a specific example of employee data and the privacy implications for HR teams. We’re all familiar with the recorded message that greets us when we call a customer service center: ‘Calls may be recorded for training purposes,’ or words to that effect. Telephone calls are routinely monitored for business purposes these days.
Essentially, you need to make it very clear what data you’re gathering and why. If there isn’t a clear business reason for gathering the data, you shouldn’t be doing it.
Essentially, in this stricter regulatory landscape, HR teams must strike a balance between the privacy of employees and the needs of the business, and be transparent about data activities at all times.
Read more about data privacy and the potential pitfalls surrounding HR data in my new book Data-Driven HR. It’s packed with real-life examples and practical ways HR teams can positively use data and analytics to deliver maximum value.