HR tech tools can help employers comply with GDPR
Too many businesses seem to be embracing Satchell Paige’s famous admonition: “Don’t look back, something might be gaining on you.”
The General Data Protection Regulation, the European Union’s new personal data privacy rules, takes effect May 28. And, with fewer than 10% of North American firms are fully prepared to comply with the regulation, according to new survey from data governance company Erwin, HR executives should be concerned.
The GDPR applies to any organization that processes personal data of citizens of the EU (including England), EU-based or not, and failure to comply could have hefty consequences: fines of up to 20 million Euros or 4% of annual revenue, whichever is greater.
At most North American companies, the CIO drives data governance efforts, according to the erwin survey. Yet, because HR groups handle a great deal of personal personnel data, and many U.S. companies have a global footprint, especially in the EU, HR’s participation is critical to GDPR compliance. Not surprisingly, HR technology firms see a market opportunity in providing GDPR-compliant tools and services, which may work to HR managers’ advantage—especially as the deadline looms.
The GDPR spells out data privacy practices that include detailed record-keeping, increased security measures (e.g. encryption), responsibilities regarding third-party services and mandatory data-breach notification. Some companies will need to appoint a data protection officer. (For a detailed explanation, go here.)
Three general areas of the GDPR apply especially to HR and employee data: consent, access, and retention. All are familiar concepts in HR, but their enforcement has been significantly juiced. “Aspects [of the GDPR], like when and when not to rely on consent and the balance between holding onto data to ensure legislative compliance and deleting it, are going to be something of a balancing act for HR teams,” according to Sue Lingard, marketing director for U.K.-based Cezanne HR Limited, which offers cloud-based, GDPR-compliant HR applications for mid-size businesses.
All this means that if an HR organization’s toolbox consists mostly of spreadsheets and Word documents, it’s time to upgrade. Just as the Y2K “bug” was a catalyst for companies to implement enterprise resource planning technology, the GDPR may goose HR organizations into making the most of the technology available to them.
It’s why vendors of human capital management (HCM) systems are promoting their multi-application, multi-featured HR tool suites as GDPR compliance solutions.
Workday, for example, touts the strict adherence to two important GDPR requirements, Privacy by Design and Privacy by Default, in the development of its application and data storage/transfer services. “Workday’s privacy team partners with product managers at the start of and throughout the development of every product … [which] enables us to create more compliant products and avoids the need to redo work to ensure that personal data is properly processed,” according to a blog on the company’s website.
For SAP, incorporating GDPR compliance into its SuccessFactors HR suite of applications has been “one of [the company’s] largest development efforts,” says Kim Lessley, director of solution management for cloud security in the SuccessFactors group. With the next general release of the suite in April, SAP will incorporate GDPR-compliance functions such as the purging of personal data (“the right to be forgotten”), logging changes to personal data, informing subjects of data stored about them, and obtaining consent for processing personal data.
Cloud-based HR services, vetted for GDPR compliance, can be a quick fix, offering relatively easy and cost-effective implementation, as well as advantageous functionality such as self-service. “Regulators recommend that, where possible, providing self-service access to personal data helps address some of the issue around visibility and accuracy,” according to Cezanne HR’s Lingard. For instance, CIPHR, a UK-based HR apps provider, says its SaaS tools let employees “access and update their own personal information via a secure self-service portal,” and help HR organizations “document when consent from employees was granted for processing personal data.”
One HR function in particular—hiring—should be scrutinized carefully for potential compliance problems, says SAP SuccessFactor’s Lessley. Hiring managers have been casting widely for data related to potential candidates, including on social media, which can get dicey in terms of consent. Also, candidate data gets passed around to various constituencies during the hiring process, making it difficult to keep track of who has had access to it and, when it needs to be purged, exactly where all copies reside.
Applicant tracking systems (ATS) and candidate relationship management (CRM) software are designed to record and store such hiring data, and they’re starting to tout their advantages in terms of the GDPR. For instance, recruiting software firm Lever describes its efforts regarding GDPR in a blog (“How is Lever supporting our customers’ GDPR compliance efforts?”), which include “adding various features to our product … [that] will assist customers in meeting their notice and consent obligations, and retention obligations.”
The GDPR’s stringent data regulations and restrictions may be landing at a bad time for many HR organizations, just as they’re realizing the advantages of extensive data mining and analytics in finding and making the most of their companies’ best possible performers. On the positive side, GDPR will require HR executives to work more closely with their counterparts in IT on data architectures, accelerating a trend that will benefit both sides. “IT and HR used to be more siloed,” says SAP’s Lessley. “Now they have to work together.”
Finally, SAP’s Lessley offers HR managers her own admonitions concerning GDPR compliance. First, “solving the technology part is easier than the people part,” she says. Second, “it’s not a big nothing,” like the Y2K bug turned out to be: “It’s real, and [regulators] will go after companies wherever they find non-compliance.”