Ongoing stories about data breaches have haunted Human Resource (HR) professionals for some time, due to the sensitive nature of the information that they hold on file. A breach could disclose personal data about employees past and present, from medical records to salary information. But now, crucially, it could also result in crippling fines with a shake-up of data regulations becoming enforceable in less than a year.
The General Data Protection Regulation (GDPR) is the most significant change to data protection laws in nearly 20 years. The new regulations are therefore forcing HR professionals to think carefully about their data processes, ensure that they treat personal data correctly and plug any gaps in compliance.
Yes, this might be a stressful and difficult process, but surely it’s one that can help organisations to build a healthier relationship with their employees. The process of auditing data and assessing how it is stored could, for example, help identify new opportunities such as unused skills among existing staff, or pinpoint training requirements. Could GDPR in fact become a secret weapon for HR?
Understanding the changes
The new rules are coming into force to address widespread worries about how businesses store personal information. People are increasingly concerned about the personal data they share online, where it goes and what’s done with it. In fact, a survey by the Information Commissioner’s Office, the UK’s independent data protection regulator, shows that only one in four people trust businesses with their personal information.
Worryingly, the department that’s often tasked with leading the deployment of measures related to data protection – IT – is equally concerned. Research by Kaspersky Lab into how IT departments are approaching GDPR found that most IT decision makers surveyed (64%) say they are worried about how many organisations have access to their personal information.
For HR practitioners, the regulations mean changes that will directly impact their day-to-day work by greatly expanding employer obligations to their current staff, as well as to prospective employees in terms of the information they supply during the recruitment process. In reality, this means that there will need to be more emphasis on getting consent from employees about the storage of their personal data, and better communication about how that data will be used within the company.
There will be much tighter standards on the nature of data that employers can retain and for how long, meaning that the retention periods for records, such as personal financial information, addresses and contact data, will need to be identified, monitored and accurately recorded.
Another area that will require changes relates to the data of former employees. Businesses are likely to want to keep information about former employees, at least in the short term, to help in the defence of any employment claims. But the regulations will provide new rights to staff, including the ‘right to be forgotten’.
Ultimately, for most organisations there won’t need to be many drastic changes. There will, however, need to be formalised processes for the collection of staff data and the storage of that information. Organisations should know exactly what data is saved where, and be more open about how it is being used. However, the flip side of all this work in implementing better processes is that there is also an opportunity for companies to make more effective use of the data available to them.
Leading by example
Abdicating responsibility for GDPR preparations to other departments, such as risk management and IT, is a risky approach for the HR department because losing influence over how an organisation responds to the new rules could have implications for how they do their job.
Luckily, HR leaders are already experienced in dealing with large volumes of personal data, such as banking and contact details, and they can help steer other departments on the path to embracing GDPR as a catalyst for positive change.
GDPR will undoubtedly trigger new policies but those changes won’t happen on their own. Employees will need to be educated and trained, and HR is ideally placed to oversee that process, having already got the experience of implementing company-wide policies and procedures. Data protection practices including employment contracts, staff handbooks and employee policies will need to be reviewed.
HR can play a critical role in helping staff to understand their new rights with regards to personal data and ensure that new policies are adhered to, particularly when new employees are trained as part of an onboarding process.
Developing a data culture
Data is invading every part of enterprises and, as it does, organisations are looking to uncover all opportunities where data can add insight into business operations. As a result, every job role is impacted and everything from call records to customer interactions are under scrutiny.
In this context, GDPR is the perfect opportunity forHR professionals to play a unique role in creating a culture of good data practice. The HR function can be used as a launchpad to embed changes within the fabric of the business and the minds of employees, enhancing employee knowledge by driving a better understanding of data privacy.
GDPR comes into effect on May 25, 2018 and the UK government has confirmed that the regulations will apply in the UK as it will still be a member of the EU at that time. This gives HR leaders just under a year to prepare for the new regulations to take effect.Teams will need to very carefully assess their current processes and procedures to ensure they are ready for these demanding, yet empowering, new requirements.
A critical first step is to recognise the pivotal role HR must play in creating a GDPR-compliant environment, ensuring employees understand their role and the repercussions of failure to meet the new obligations. If teams get it right, GDPR can indeed become the secret weapon that will help put HR professionals at the heart of the data debate.