How can HR adapt to the GDPR?

15 jul 2019

6 min

How can HR adapt to the GDPR?

In the past decade, the data revolution has placed HR at the forefront of business strategy, giving it advanced tools for talent management, resource allocation and strategic planning. At the same time, it has opened up a treasure chest of valuable personal data, creating a massive responsibility to handle this data responsibly.

In the highly unlikely scenario that you haven’t yet heard about the EU’s new General Data Protection Regulation (GDPR) it is, above all, a set of laws aimed at ensuring more data privacy and protection for EU citizens.

Since it came into effect on the 25th of May 2018, it has caused considerable controversy, with strongly divided opinions on its usefulness. Giants such as Google are worried about excessive regulatory burden, while others predict it will drastically boost marketing and sales.

In either scenario, the new regulations are likely to have transform the nature of many HR practices. But, before delving deeper into this debate, it is important to understand what the GDPR is and isn’t.

A quick overview of the GDPR

The GDPR gives EU citizens more control over how their data is used. It does that by on the one hand offering users new rights, while on the other imposing more stringent checks and limits on organizations that collect or handle personal user data.

Though the law applies to the entire EU, it extends far beyond: any organization that offers goods or services to EU residents — think of American or Asian companies such as Google, Facebook or AliExpress — will have to deal with the GDPR. That’s why the GDPR is sometimes also referred to as a de facto “world regulation”.

According to the European Commission’s press release, the law was finalized after four long years of painstaking negotiations and a record number of 3,999 amendments.

source: GDPR infographic by Workday

The law was finalized after four long years and a record number of 3,999 amendments.

Here’s a quick breakdown of the main changes it brings:

  • The right to be forgotten. Every EU citizen can now ask companies like Facebook and Twitter to delete their account and all associated personal data, if they satisfy a set of specific conditions. Additionally, they can request the company to provide all the personal data they have stored from the very beginning in a standard format.

Companies are legally obliged to provide this information, and, in case of non-compliance, may face fines of up to €20 million, or 4% of their worldwide annual revenue — whichever is higher.

  • The right to consent or object to data collection.

  • Children under the age of sixteen (potential intern applicants) will need their parents consent before accessing social media platforms or applying to job vacancies.

  • Data can no longer be made available publicly without explicit consent from users, and personal data may not be processed unless it is done under a lawful basis specified by the regulation, or the data controller or processor has received opt-in consent from the data’s owner—which may be withdrawn at any time.

  • An obligatory Data Protection Impact Analysis (or DPIA) must be carried out. The aim of this analysis is to help identify and minimize privacy risks associated with the company’s data processing activities.

The four focal points for HR

Considering these changes, it goes without saying that the new law will significantly impact companies across the spectrum and transform the very nature of many HR practices. From talent acquisition, to handling current employee records in databases, to providing data-protection training to employees — the challenges to companies and HR departments posed by the new law are myriad.

For instance, any individual in the EU who applies to a job or opts in to a company’s talent network is subject to GDPR protections. Cookies, for example — which are already strongly controlled in the EU — are subject to even more far-reaching compliance checks, as are tracking pixels (an important part of current career site activity monitoring).

Any individual in the EU who applies to a job or opts in to a company’s talent network is subject to GDPR protections.

But beyond online tracking, there are four components of the GDPR that are especially important for HR professionals to understand and adjust to:

1. Information transparency and consent

With the new rights provided by the GDPR, it is essential that companies are fully transparent and obtain consent where necessary. Gone are the days of spamming potential customers or clients’ inboxes. Technologies like CRMs and recruitment marketing platforms that capture personal data will need to send out consent forms to meet the requirements of the GDPR, while also reflecting the company’s culture. Organizations should therefore make a list of any public forms or language relevant to personal data capture as soon as possible, and ensure that each is updated to be GDPR-compliant.

2. Data inventory and mapping

Under GDPR requirements, companies are obliged to be aware of where all personal data (from candidates, applicants, talent community, etc.) is stored. But it isn’t always easy to have the oversight to know where various servers are located, which software handles which data, and how the data is being used. That’s why companies should consider investing in technologies that offer a centralized system of record for both applicants and candidates (and stop using individual Excel spreadsheets and lists).

Similarly, creating a database rule (e.g. a workflow in your CRM) to trigger candidates to opt in again or update their data after a certain period of time is probably a good idea.

Last but not least, companies should regularly check for bounced email addresses to remove from their CRM.

3. Data accuracy, retention, and destruction

But GDPR-compliance extends beyond internal company processes. It is vital to ensure that candidates who opt out are automatically removed from any workflows or automated campaigns. This is difficult to achieve when data is stored in different places, which is why one centralized, connected system is advisable.

Beyond the opt-out clause, companies subject to the GDPR are also responsible for the data they resell or pass on to other organizations. This is especially relevant considering that, over the past years, the talent acquisition industry has been experiencing the rapid fusioning of marketing and recruiting, leading to the increased popularity of “recruitment marketing”.

The essence of recruitment marketing involves data collection and processing to better understand the customer profile and communicate the employer brand. This is mainly achieved through the use of recruitment marketing platforms— essentially software that centralizes the operations of all marketing campaigns, providing easily trackable and measurable results along the way.

Considering that marketing practices will continue shaping the way recruitment is carried out in the years and decades to come, it is all the more important that companies involved in recruitment marketing understand how the GDPR might impact the way they attract, hire and retain talent.

4. Security

Last but not least, under GDPR, companies must carry out a Data Protection Impact Analysis (or DPIA) before implementing their overall GDPR plan. The goal of this analysis is to help identify and minimize privacy risks associated with the company’s data processing activities.

In case of a data breach, companies are required to notify the affected parties within 72 hours.

For clues about the format of the DPIA, companies should look to trade associations and trusted partners for best practices, but some common security issues include: physical security, IT systems, use of unencrypted emails, use of portals, poor password management, poor controls over mobile devices, and security of remote access/VPN.

In case of a data breach, companies are required to notify the affected parties within 72 hours. That’s why HR teams should formalize a communications plan for their database so that they’re prepared and, consequently, can avoid fines. This is a simple matter of drawing up a legally-reviewed email template that can immediately be sent out if a breach should occur.

Turning GDPR into an opportunity for HR

With all this talk of regulation and compliance, it is easy to overlook the immense positive change the GDPR could provide to outdated HR systems.

Companies should view the new law as an opportunity to modernise their HR systems, and the business case of doing so is obvious. The GDPR could lead to better defined, more efficient processes for the handling of employee data, which in turn would lead to greater transparency and trust among employees.

Moreover, having less —but better— data is likely to lead to more accurate insights.

Last but not least, the respect for privacy will enhance the employer brand (of course, this is assuming that employees actually care about having their data secured and protected).

Indeed, most companies today have employee data spread out across different platforms (difficult to track), and use multiple security modules to access employee data (difficult to keep harmonized and updated). In the end, this leads to multiple, disconnected business cases.

But, with the GDPR looming on the horizon earlier this year, forward-looking companies started to invest in a single system for HR, offering full tracking and auditing, a single database for employee data, and a single security module. The expectation is that this will improve insight, drive engagement, and improve the overall candidate experience. Contrary to today’s mass messaging system — which relies on scale to generate engagement — the GDPR forces HR professionals to think carefully about how, when and why they communicate to their database. The hope, therefore, is that this centralized system will create a more streamlined business case, and, most importantly, better GDPR-compliance.

Instead of seeing the GDPR only as a burdensome, labour-intensive and expensive reform, it can therefore just as easily be viewed as an opportunity for HR to clean up databases and centralize candidate datainto one single system.

Doing this is likely to pay off in the future, both in terms of increasing trust among employees and customers, as well as boosting productivity and efficiency.

At a time when employee happiness and office culture are in the spotlight, the GDPR gives HR professionals a strong incentive to think about how to better organize processes and systems around data privacy.

Against all odds, it might actually trigger a real wave of HR innovation.

Illustration: Marcel Singe

Las temáticas de este artículo