Fundamentally, we live in a world of data. Companies today thrive on collection and analysis of personal data. Your name, address, debit and credit card number, etc. are all collected, analyzed and, most importantly, stored by various sources. In this age, we also keep hearing about incidents of data breach more often. Such breach seems inevitable as information gets stolen, lost or many a times released into the hands of people who may have malicious intent. Under this new reform of GDPR (General Data Protection Regulation), organizations will now have to ensure that personal data is gathered legally and is managed in a way to protect users from misuse and exploitation.
Hence, an era has arrived which makes data compliance at par with legal and financial compliance in the business ecosystem. In fact, Indian companies too with operations in the EU, will now have to prioritize data security compliance for ensuring maximum adherence to GDPR.
Organizations will have no choice but to redefine the way they deal with data management issues. And in case of non-compliance, organizations will have to face severe penalties. In fact, GDPR is set to become even more critical for HR teams to understand and comply with. But for understanding the real impact on HR, let us first understand what GDPR is all about?
The European Commission in January 2012 had set out plans for reforms in the area of data protection with the intent of safeguarding privacy. After four years, an agreement was reached as to how this can be enforced. And GDPR is one of the key components of this planned reform. This new regulation is applicable to organizations with implications for businesses and individuals across Europe and beyond.
In short, GDPR is a law on data protection and privacy for all individuals within the European Union and the European Economic Area.
This law gives the citizens greater rights over their personal data, which they can access, port and delete, upon request. With the solid framework for data protection, people can now control their personal information. GDPR puts the responsibility on firms with respect to how they process and manage their user’s data. Apart from data like name, address, debit and credit card number; personal data also includes something like an IP address or sensitive HR data such as genetic data, and biometric data which could be processed to uniquely identify an individual.
What does GDPR mean for consumers?
Data breaches, many a time, have led to compromises of personal information of consumers who remain unknown to the fact. Be it a password, or an email address, UID or social security number, or confidential health records all of these may have been exposed. One of the changes that GDPR will bring in is to provide the consumers with the right to know when their data has been hacked. Henceforth, organizations will have to notify within 72 hours to the appropriate national bodies and consumers so that appropriate measures can be taken. Also, organizations may contact consumers asking if they want to be a part of their database and if not then the consumers will have full freedom to get it deleted. Organizations will now have to keep all such consumer rights in mind while managing their customer’s data.
How will this affect organizations in India?
The GDPR came into effect in EU on 25th May 2018 and the business community is seriously concerned about how the regulation will be implemented and enforced in Indian corporate context. Basically, this applies to any organization operating within the EU, and any organization outside of the EU which offer goods/ services to customers or businesses in the EU. GDPR will pose an extra challenge for domestic firms that operate in the EU. With 99 articles and 173 recitals, Indian organizations will have to comply with the stringent regulation under GDPR. As per the latest forensic data analytics survey by Ernst & Young, mere 13% of Indian firms had planned to comply with GDPR before the deadline.
What implication does it have on HR function?
GDPR will have serious implications for the HR function as companies will need to have more flexible systems for employee’s data. In case of HR data, employees will need to be made fully aware of how their data is being used. Consent is a critical pillar of GDPR. Here are five tips to keep in mind to start your data compliance journey:
- You need to be transparent with your employees about what data is being collected, for what purpose, and how that data will be used.
- Minimize the amount of data that HR collects. The more data HR teams hold the more data protection is needed. Hence, collect only the essential information that HR function is in need of. In fact, data minimization may tend to give a better opportunity for higher insights.
- It is recommended that HR maintains a single source of the truth (repository of employee data).
- Maintain a single security model and built-in audit system in the HRIS. If the current system does not give you the option to recall and permanently delete data that is no longer relevant or needed, you might need to change over to a GDPR-compliant system.
- In a stricter regulatory landscape, HR teams will have to equip themselves with training for balancing data privacy policies and the needs of the business.
In short, GDPR may help the HR function to modernize HR systems by better defined efficient processes for handling employee data. The question here arises on how do you prepare your HR team and other function in the organization to manage the transition? Read our next article to get more insights as to how HR can be better prepared.
Image Credits: NBC news