The data that HR departments work with comes in all shapes and sizes, and from many different systems and sources – from paper documents to emails and online forms. Ongoing stories about data breaches have haunted HR professionals for some time because of the sensitive nature of the information they hold on file. A breach could disclose personal data about employees past and present.
However, the General Data Protection Regulation (GDPR) implementation deadline – just six months away – will offer an improved way of working for HR. By forcing HR professionals to think carefully about their data processes, to ensure that they treat personal data correctly and plug any gaps in compliance, organisations will be able to build healthier relationships with their employees. In addition, the process of auditing data and assessing how it is stored could help identify new opportunities such as unused skills among existing staff, or pinpoint training requirements.
Understanding the changes
The new rules will address widespread worries about how organisations store personal information. People are becoming increasingly concerned about the personal data they share online, where it goes and what’s done with it.
For HR practitioners, the regulations mean changes that will directly affect their day-to-day work, by greatly expanding employer obligations to their current staff, as well as to prospective employees in terms of the information they supply during the recruitment process. There will be much tighter standards on the nature of data that employers can retain and for how long, meaning that the retention periods for records (such as personal financial information, addresses and contact data) will need to be identified, monitored and accurately recorded.
Another area that will require changes is the data of former employees. Organisations are likely to want to keep information about them, at least in the short term, to help in the defence of any employment claims. But the regulations will provide new rights to staff, including the ‘right to be forgotten’.
Most companies won’t need to make any drastic changes to their existing processes. But there will need to be formalised processes for the collection of staff data and the storage of that information.
Leading by example
Abdicating responsibility for GDPR preparations to other departments, such as risk management and IT, is a risky approach for the HR department. Luckily, HR leaders are already experienced in dealing with large volumes of personal data, such as banking and contact details, and they can help steer other departments on the path to embracing the GDPR as a catalyst for positive change.
The GDPR will undoubtedly trigger new policies, but those changes won’t happen on their own. Employees will need to be educated and trained, and HR is ideally placed to oversee that process, having already gained the experience of implementing company-wide policies and procedures. Data protection practices, including those in employment contracts, staff handbooks and employee policies, will all need to be reviewed.
Developing a data culture
Data is invading every part of enterprises and, as it does, organisations are looking to uncover all opportunities where data can add insight to business operations. In this context, the GDPR is the perfect opportunity for HR professionals to create a culture of good data practice.
A critical first step is to recognise the pivotal role HR must play in cultivating a GDPR-compliant environment, ensuring employees understand their role and the repercussions of failure to meet the new obligations. If teams get it right, the GDPR can become the secret weapon that will help put HR professionals at the heart of the data debate.
Adam Maskatiya is UK and Ireland general manager at Kaspersky Lab