Getting your house in order for the GDPR
Rachel Sharp, May 10, 2018
As GDPR deadline day looms it’s time for HR to take the lead, our webinar found
“It’s a mixed bag out there. Some of our clients began preparations two years ago, some one year ago, and then we’ve had some who rang us up just a couple of months back asking: ‘what is it and how do we make sure we’re ready?’”
It doesn’t take too much effort to guess what associate at McGuireWoods London Sarah Thompson is referring to, speaking at HR magazine’s recent webinar on ‘GDPR: What HR needs to know’, held in partnership with Sage Business Cloud People. It’s a topic currently top of the agenda for HR directors and businesses alike.
These anecdotal accounts about the introduction of the General Data Protection Regulation (GDPR) aren’t uncommon. So it comes as little surprise that only 14% of respondents to a poll taken during the webinar said that their organisations are very prepared for its launch. As the clock ticks down to deadline day on 25 May, 18% have limited awareness and 6% feel their organisations are not prepared at all, according to the poll.
Clearly there is still work to be done. And, as the function responsible for holding swathes of employee data, HR needs to get up to speed. It was this challenge that speakers at the webinar set out to address.
Building cultures of data compliance
One of the most crucial actions for HR is to create cultures of data security and compliance at their businesses, the panel agreed.
For Graham Jennings, data compliance manager at London Business School, there are four areas to address.
These are “implementing technology to support HR activities, training staff so they know what it means to be compliant, putting the right processes and documents in place for accountability, and, with the data itself, holding on to it for the right amount of time,” he advised. “Get these four aspects right and the organisation will be compliant.”
The latter aspect particularly brings complications, the panel agreed, with HR needing to find a balance between the rights of former employees to have their data removed, and HR’s responsibility to protect the business from future risk.
“Yes we should set limits on how long we keep certain pieces of information after an employee leaves. But certain employee data like names, start dates and reasons for leaving are critical for HR to keep hold of in the event a former employee takes up a future tribunal or legal proceedings against the company,” commented Jake Attfield, HR director at T-Systems.
Thompson agreed that while “any employee can ask for their data to be deleted when they leave […] HR can say no”.
HR should implement a policy with a suitable time period for keeping employee data, Jennings suggested, “but, ultimately, it must be approached on a case-by-case basis”.
Complexity around an employee’s ‘right to be forgotten’ wasn’t the only obstacle the panel warned of. “Applying the GDPR to all the different legacy systems a business has is one of the biggest challenges,” said Paul Burrin, VP at Sage Business Cloud People.
“The issue is there’s so much data […]. Not all of it falls within HR’s domain but that doesn’t mean HR doesn’t need to get a handle on it.”
The audience poll highlighted further challenges; almost two-thirds (65%) cited HR skillsets as the biggest obstacle to GDPR-readiness.
Taking the lead
While the panel stressed the many difficulties the GDPR presents to HR and the wider business, they agreed that it should also be seen as an opportunity for HR.
“HR can take the lead on this,” said Thompson. “After all, every business has employee data but not every business has customer data.” Jennings agreed, calling on HR to “lead by example” and “get its house in order”.
Burrin advised that a dedicated data protection officer (DPO) be appointed to lead on this, with HR and other functions shouldering some responsibility. Importantly, it should “be clear who owns what”, he said.
The speakers debated whether it was a good idea for an HR leader to be appointed as DPO. The regulation stipulates that the DPO can’t be in a position of conflict of interest, advised Thompson. The employee’s role must be compatible with the DPO role, she said; so long as this criteria is met there is the possibility that HR can take ownership here.
While the GDPR presents an opportunity for HR to take the lead, the function shouldn’t act alone but needs to collaborate with other departments across the business to ensure the wider workforce is compliant, the panel agreed.
“It has to be a coordinated approach across the business,” said Attfield. “This isn’t just an HR problem or a marketing problem, it’s a business-wide problem.”
A holistic approach should be taken, with HR partnering with functions including legal, IT and marketing, agreed Thompson. The audience poll concurred, with IT (26%), risk/legal (23%), finance (18%), head office (17%), and marketing (16%) all scoring highly as functions it is most vital for HR to cooperate with on the GDPR rollout.
Incentivise or punish?
The panel also explored HR’s role in incentivising compliance among employees or potentially taking a more disciplinary, sanctions-focused approach.
“HR can roll out e-learning to train employees across the business about data protection, introduce incentives for good practice, and enforce sanctions on employees that breach the regulations,” said Jennings.
The GDPR could also prove an opportunity to boost employee engagement, by reaching out to the workforce around data collection and how certain data is used within the business, commented Attfield.
“For example, diversity and inclusion data is not mandatory for employees to provide at the moment. We can use the GDPR to engage employees around areas like this, giving us useful data to act on in the future.”
He added: “It’s not all bad news […] we shouldn’t just look at it as additional regulation that slows down the business.”
A recording of the webinar is available for those who missed the live event