Impact of GDPR (General Data Protection Regulation) on HR Teams Worldwide - New Challenges and Opportunities
Impact of GDPR (General Data Protection Regulation) on HR Teams Worldwide
Following the massive Facebook - Cambridge Analytica data scandal, Data Privacy has gathered up more heat than expected. The impact is far deeper and widespread across domains than data security experts could calculate. In fact, the prickly issue of data privacy is one of the primary concerns of HR data. With EU’s General Data Protection Regulation (GDPR) coming into effect in May 2018, this issue is set to become even more crucial for HR teams.
Let’s understand what is GDPR and how it might impact the work of HR teams?
- The General Data Protection Regulation (GDPR) is a law or a regulation which was adopted by the European Commission on 27 April 2016.
- It is scheduled to go into enforcement effective 25 May 2018 across all 28 EU Member States and is expected to impact organizations across the globe that do business in Europe.
- A core feature of the GDPR is that as a regulation, rather than a directive, it does not require enabling legislation in each member state, something that historically led to inconsistencies.
- As per the Article 2 “Material Scope”, this regulation applies to the processing of personal data wholly or partly by automated means
- Applicability (as per the Article 3 “Territorial effect”) of GDPR is linked to the processing of the “personal data”
– In the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not.
– Of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services, to such data subjects in the EU; or the monitoring of their behavior as long as their behavior takes place within the EU.
– By a controller not established in the EU, but in a place where member state law applies by virtue of public international law.
What is the significance of GDPR?
It's maybe appropriate to say that legislation hasn’t been able to cope up with the pace at which technology has advanced, particularly our ability to gather, store and analyze data. GDPR is therefore designed to enhance data protection and the right to privacy for EU citizens, giving them greater control over their personal data and how it is used.
GDPR is applicable to players not established in the EU, but whose activities consist of targeting data subjects in the EU.
GDPR represents a complete overhaul of the legal requirements that must be met by any company handling EU citizens’ personal data, and that includes employees’ personal data.
The implications of GDPR are deep-rooted. Companies which do not comply with the regulation and are found to be misusing personal information, Data Protection Authorities (DPA) can impose stiff fines of up to €20m or 4% of annual worldwide turnover, whichever is higher of the two.
Why is it necessary for HR teams to seek consent for employee data?
Consent forms a crucial part of the new legislation, and GDPR clearly states that companies can only use personal data for the explicit purpose for which it was given. For HR teams, this means employees must explicitly opt-in to allow their employer to use their personal data. Employees must be made completely aware of how their personal data will be used.
What steps companies need to take?
Companies need to be transparent with the employees about what data is being collected, for what purpose, and how that data will be used. This can be clarified through a detailed data privacy statement that’s duly signed by employees. Then, crucially, companies can only use the data for the purpose for which it was handed over. In case a company wants to use the data for a different purpose, it should seek new permission.
How to protect employee data?
GDPR establishes strict mandates around reporting the theft or loss of personal data. While, for most companies, this is more of an issue for customer data, be aware that employee-related data is still highly personal in nature. So, in the event of any breach that impacts employee data, you will need to inform the supervising authority (in the UK that’s the Information Commissioner’s Office) within a maximum of 72 hours. You will also have to inform those individuals whose data is affected.
Definitely, it’s far better to avert a data breach in the first place. While hacking techniques are getting more sophisticated all the time, some simple processes and procedures will help protect your valuable HR data. This may include data encryption and breach detection systems.
GDPR may also have training implications, since all staff should be educated on the need for good data security practices. At the very least, this means employees must never share passwords, click on unreliable links, or share confidential information with anyone who isn’t authorized. Yes, hackers are very smart. But simple human error is responsible for more breaches than you may think.
Miscellaneous GDPR Considerations
GDPR implies employees also have the right to be forgotten and to withdraw their consent, so you will need to think about what this means for your organization. Do you have procedures in place for deleting employee data? How many systems or processes would be affected? Can you be sure you are removing all trace? Does your team understand the necessity of compliance with this? These are the important considerations that form part of your data-driven HR strategy.
It’s also very important for a company to keep records of consent for gathering, storing and using employee data, as well as be able to demonstrate a clear business case for using the data.
What is the impact outside of the EU?
It might have crossed your mind what Brexit means for GDPR. Will UK companies still need to comply with GDPR once Britain exits the EU? The simple answer is yes. The government has committed to implementing GDPR into UK law, although, as with anything around Brexit, this might potentially change.
It is clear, GDPR protects personal data for EU citizens. So if your organization handles data of employees from the EU, even if your business is not based in the EU, you still need to establish and demonstrate compliance. In the US, for example, a new GDPR-friendly framework called Privacy Shield provides a means for stateside companies to demonstrate they can provide sufficient protection, in sync with GDPR, for EU citizens.
There are also specific points for consideration in case your enterprise transfers data related to EU citizens outside of the EU. For instance, if your company has a US office, or if a data or business analytics provider is based in the US, you will be affected by these data transfer rules. For HR teams, this implies you need to ensure that any personal employee data flowing outside the EU is being handled by companies who are compliant with Privacy Shield and GDPR policies.
What Data Privacy enhancements need to be implemented?
Let us consider a specific case of employee data and the privacy implications for HR teams. We are all familiar with the interactive voice response that greets us when we call a customer service center, ‘Calls may be recorded for training purposes only,’ or words similar to this effect. Telephone calls are routinely monitored for business purposes these days.
Essentially, you need to make it very clear what data you are collecting and the reason behind. If there isn’t a clear business reason for collecting the data, you should refrain from doing it.
Importantly, as the regulatory practices come into force, HR teams must strike a chord between the privacy of employees and the business objectives of the company, as well as be transparent about data activities at all times. Remember, your data is an important asset for your business and so are your employees. Implementing best practices for Data Security and Protection will ensure compliance with GDPR and Data Privacy.
What business opportunity does GDPR create?
Various technology firms are looking at the GDPR challenge as an excellent business opportunity. Specifically, companies like Google, IBM, Oracle, just to name a few of the leaders, are putting all powerful minds together to bring out the best tools for enhanced Data Security and Protection. Companies specialized in data, digital and business analytics are also building or enhancing software applications to catch and expose loopholes or non-compliances.
Analysts believe Artificial Intelligence will play a major role in enhancing data privacy in compliance with GDPR, an interesting space to watch….